From 0309d5890dd9ab1767eaa99565e3c47f33a4d1d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 28 Sep 2020 20:48:20 +0200 Subject: [PATCH 001/220] Update i_u_m_update.md --- docs/i_u_m_update.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index ab8b0bbfb..2a5e02bea 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -13,6 +13,17 @@ If it needs to, it will ask you how you wish to proceed. Merge errors will be reported. Some minor conflicts will be auto-corrected (in favour for the mailcow: dockerized repository code). +### I forgot what I changed before running update.sh + +See `git log --pretty=oneline | grep -i "before update"`, you will have an output similar to this: + +``` +22cd00b5e28893ef9ddef3c2b5436453cc5223ab Before update on 2020-09-28_19_25_45 +dacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31 +``` + +Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. + ### Options ``` From f49a80e0a830d62c7c290621bc33b0cd3703eecb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 28 Sep 2020 20:50:17 +0200 Subject: [PATCH 002/220] Update i_u_m_update.md --- docs/i_u_m_update.md | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 2a5e02bea..7ace7e5a4 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -13,17 +13,6 @@ If it needs to, it will ask you how you wish to proceed. Merge errors will be reported. Some minor conflicts will be auto-corrected (in favour for the mailcow: dockerized repository code). -### I forgot what I changed before running update.sh - -See `git log --pretty=oneline | grep -i "before update"`, you will have an output similar to this: - -``` -22cd00b5e28893ef9ddef3c2b5436453cc5223ab Before update on 2020-09-28_19_25_45 -dacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31 -``` - -Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. - ### Options ``` @@ -52,6 +41,30 @@ Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. ./update.sh --prefetch ``` +### I forgot what I changed before running update.sh + +See `git log --pretty=oneline | grep -i "before update"`, you will have an output similar to this: + +``` +22cd00b5e28893ef9ddef3c2b5436453cc5223ab Before update on 2020-09-28_19_25_45 +dacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31 +``` + +Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. + +### Can I role back? + +Yes. + +See the topic above, instead of diff, run... + +``` +docker-compose down +# Replace commit ID 22cd00b5e28893ef9ddef3c2b5436453cc5223ab by your ID +git checkout 22cd00b5e28893ef9ddef3c2b5436453cc5223ab +docker-compose up -d +``` + ## Manual update (not maintained anymore, please use update.sh) ### Step 1 From ac47ce808be225e7f69987f95fb374b09352d135 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 28 Sep 2020 20:50:37 +0200 Subject: [PATCH 003/220] Update i_u_m_update.md --- docs/i_u_m_update.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 7ace7e5a4..228bff766 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -62,6 +62,7 @@ See the topic above, instead of diff, run... docker-compose down # Replace commit ID 22cd00b5e28893ef9ddef3c2b5436453cc5223ab by your ID git checkout 22cd00b5e28893ef9ddef3c2b5436453cc5223ab +docker-compose pull docker-compose up -d ``` From ec9efaa6a7fe4b595719235240207e522b912412 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 28 Sep 2020 20:51:16 +0200 Subject: [PATCH 004/220] Update i_u_m_update.md --- docs/i_u_m_update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 228bff766..b72b58744 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -56,7 +56,7 @@ Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. Yes. -See the topic above, instead of diff, run... +See the topic above, instead of a diff, you run checkout: ``` docker-compose down From 0067840f67ed6ae15cfb83126cacbb2636f76afd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 2 Oct 2020 14:17:54 +0200 Subject: [PATCH 005/220] Update debug-reset_pw.md --- docs/debug-reset_pw.md | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index 508701703..bcc7a0c59 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -36,6 +36,8 @@ MariaDB [(none)]> show databases; ### 2\. Reset one or more users +#### 2\.1 Maria DB < 10.4 (older mailcow installations) + Both "password" and "authentication_string" exist. Currently "password" is used, but better set both. ``` @@ -43,7 +45,7 @@ MariaDB [(none)]> SELECT user FROM mysql.user; +--------------+ | user | +--------------+ -| mailcow_user | <===== +| mailcow | <===== | root | +--------------+ 2 rows in set (0.00 sec) @@ -54,6 +56,25 @@ MariaDB [(none)]> UPDATE mysql.user SET authentication_string = PASSWORD('mookuh MariaDB [(none)]> FLUSH PRIVILEGES; ``` +#### 2\.2 Maria DB >= 10.4 (current mailcows) + +``` +MariaDB [(none)]> SELECT user FROM mysql.user; ++--------------+ +| user | ++--------------+ +| mailcow | <===== +| root | ++--------------+ +2 rows in set (0.00 sec) + +MariaDB [(none)]> FLUSH PRIVILEGES; +MariaDB [(none)]> ALTER USER 'mailcow'@'%' IDENTIFIED BY 'FB6RsEqbfxjc10MqVt5hGpf3zk0F'; +MariaDB [(none)]> ALTER USER 'root'@'%' IDENTIFIED BY 'kRFU4SG9ZTWAS7vMd3Nh4uTkk7Ns'; +MariaDB [(none)]> ALTER USER 'root'@'localhost' IDENTIFIED BY 'kRFU4SG9ZTWAS7vMd3Nh4uTkk7Ns'; +MariaDB [(none)]> FLUSH PRIVILEGES; +``` + ## Remove Two-Factor Authentication This works similar to resetting a MySQL password, now we do it from the host without connecting to the MySQL CLI: From 3730e1a5c188dbfc2a5d3a78c281efe276f68c22 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 2 Oct 2020 14:18:18 +0200 Subject: [PATCH 006/220] Update debug-reset_pw.md --- docs/debug-reset_pw.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index bcc7a0c59..3f14e8687 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -69,9 +69,9 @@ MariaDB [(none)]> SELECT user FROM mysql.user; 2 rows in set (0.00 sec) MariaDB [(none)]> FLUSH PRIVILEGES; -MariaDB [(none)]> ALTER USER 'mailcow'@'%' IDENTIFIED BY 'FB6RsEqbfxjc10MqVt5hGpf3zk0F'; -MariaDB [(none)]> ALTER USER 'root'@'%' IDENTIFIED BY 'kRFU4SG9ZTWAS7vMd3Nh4uTkk7Ns'; -MariaDB [(none)]> ALTER USER 'root'@'localhost' IDENTIFIED BY 'kRFU4SG9ZTWAS7vMd3Nh4uTkk7Ns'; +MariaDB [(none)]> ALTER USER 'mailcow'@'%' IDENTIFIED BY 'mookuh'; +MariaDB [(none)]> ALTER USER 'root'@'%' IDENTIFIED BY 'gotr00t'; +MariaDB [(none)]> ALTER USER 'root'@'localhost' IDENTIFIED BY 'gotr00t'; MariaDB [(none)]> FLUSH PRIVILEGES; ``` From 7fb4a246c147d6ac60184cfd435b3726d1444518 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 3 Oct 2020 12:54:46 +0200 Subject: [PATCH 007/220] Remove EoL updated method --- docs/i_u_m_update.md | 47 -------------------------------------------- 1 file changed, 47 deletions(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index b72b58744..7683288f9 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -66,53 +66,6 @@ docker-compose pull docker-compose up -d ``` -## Manual update (not maintained anymore, please use update.sh) - -### Step 1 - -``` -docker-compose down -``` - -Fetch new data from GitHub, commit changes and merge remote repository: - -``` -# 1. Get updates/changes -git fetch origin master -# 2. Add all changed files to local clone -git add -A -# 3. Commit changes, ignore git complaining about username and mail address -git commit -m "Local config at $(date)" -# 4. Merge changes, prefer mailcow repository, replace "theirs" by "ours" to change merge strategy -git merge -Xtheirs -Xpatience - -# If it conflicts with files that were deleted from the mailcow repository, just run... -git status --porcelain | grep -E "UD|DU" | awk '{print $2}' | xargs rm -v -# ...and repeat step 2 and 3 -``` - -### Step 2 - -Pull new images (if any) and recreate changed containers: - -``` -docker-compose pull -docker-compose up -d --remove-orphans -``` - -### Step 3 -Clean-up dangling (unused) images and volumes: - -It is **very important** to _not_ run these commands when your containers are deleted. -Running `docker-compose down` - for example - will delete your containers. Your volumes are now in a dangling state! Running the commands shown below, _will_ remove your volumes and therefore your data. - - -``` -docker rmi -f $(docker images -f "dangling=true" -q) -docker volume rm $(docker volume ls -qf dangling=true) -``` - - ## Footnotes - There is no release cycle regarding updates. From 750861849499256a1a3aee8b2bffec198af9a1e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 4 Oct 2020 14:15:32 +0200 Subject: [PATCH 008/220] Update firststeps-ssl.md --- docs/firststeps-ssl.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/firststeps-ssl.md b/docs/firststeps-ssl.md index 8422c0b44..0d9176ac7 100644 --- a/docs/firststeps-ssl.md +++ b/docs/firststeps-ssl.md @@ -101,6 +101,8 @@ Make sure you disable mailcows internal LE client (see above). To use your own certificates, just save the combined certificate (containing the certificate and intermediate CA/CA if any) to `data/assets/ssl/cert.pem` and the corresponding key to `data/assets/ssl/key.pem`. +**IMPORTANT:** Do not use symbolic links! Make sure you copy the certificates and do not link them to `data/assets/ssl`. + Restart affected services afterwards: ``` From aa71513bc72968464713200656532d6e47b77401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 4 Oct 2020 19:41:07 +0200 Subject: [PATCH 009/220] Update u_e-dovecot-vmail-volume.md --- docs/u_e-dovecot-vmail-volume.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/u_e-dovecot-vmail-volume.md b/docs/u_e-dovecot-vmail-volume.md index 80bdbcd7b..40a339843 100644 --- a/docs/u_e-dovecot-vmail-volume.md +++ b/docs/u_e-dovecot-vmail-volume.md @@ -1,12 +1,11 @@ -If you want to use another folder for the vmail-volume, you can create an `docker-compose.override.yml` file and add: +If you want to use another folder for the vmail-volume, you can create a `docker-compose.override.yml` file and add the following content: + ``` version: '2.1' -volumes: - vmail-vol-1: - driver_opts: - type: none - device: /data/mailcow/vmail - o: bind +services: + dovecot-mailcow: + volumes: + - /data/mailcow/vmail:/var/vmail ``` ### Moving an existing vmail folder: From 1f6c8a416bae7ecd566982effc11bf4348f2bc7d Mon Sep 17 00:00:00 2001 From: Braintelligence Date: Mon, 5 Oct 2020 10:03:45 +0200 Subject: [PATCH 010/220] Additional example for expunge, useful for cleanup Additional example for expunge, useful for cleanup of old mails. I used this to clean mails that were older than 5 years. --- docs/u_e-dovecot-expunge.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index a3ab62f7e..2c5f97710 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -16,6 +16,12 @@ Delete **all** user's mails in the junk folder that are **older** than 7 days docker-compose exec dovecot-mailcow doveadm expunge -A mailbox 'Junk' savedbefore 7d ``` +Delete **all** mails (of all users) in **all** folders that are **older** than 52 weeks (internal date of the mail, not the date it was saved on the system => `before` instead of `savedbefore`). Useful for deleting very old mails on all users and folders (thus especially useful for GDPR-compliance). + +``` +docker-compose exec dovecot-mailcow doveadm expunge -A mailbox % before 52w +``` + Delete mails inside a custom folder **inside** a user's inbox that are **not** flagged and **older** than 2 weeks ``` From 0a80748ce413517ce30f70762ed75c2c203786eb Mon Sep 17 00:00:00 2001 From: Braintelligence Date: Mon, 5 Oct 2020 10:17:38 +0200 Subject: [PATCH 011/220] Add another way of connecting Cal/CardDAV to TB --- docs/client/client-thunderbird.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/client/client-thunderbird.md b/docs/client/client-thunderbird.md index 900a0577e..ffd8f22e1 100644 --- a/docs/client/client-thunderbird.md +++ b/docs/client/client-thunderbird.md @@ -54,3 +54,11 @@ Automatic configuration of calendars and address books in Thunderbird is not cur
Automatic configuration of calendars and address books (from step 9 onward) in Thunderbird is only supported if your server administrator has enabled [SOGo Connector](https://mailcow.github.io/mailcow-dockerized-docs/third_party-thunderbird).
+ +## Different method of connecting Cal-/CardDAV in Thunderbird with automatic detection of address books and calendars + +Instead of using SOGo Connector you can use a combination of +- https://addons.thunderbird.net/de/thunderbird/addon/tbsync/ and +- https://addons.thunderbird.net/de/thunderbird/addon/dav-4-tbsync/ + +To add Cal-/CardDAV accounts you go to `Tools` and look near the account settings - there should be a new entry about TbSync there. You can add new accounts via the CalDAV & CardDAV provider there. From faa0b01e3c07fe6f93f5ac3902fe47c1e1d39a70 Mon Sep 17 00:00:00 2001 From: Braintelligence Date: Mon, 5 Oct 2020 11:31:38 +0200 Subject: [PATCH 012/220] Images for better explanation of TbSync --- docs/images/thunderbird-tbsync-caldav.png | Bin 0 -> 33035 bytes docs/images/thunderbird-tbsync-enable.png | Bin 0 -> 40052 bytes docs/images/thunderbird-tbsync.png | Bin 0 -> 22902 bytes 3 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 docs/images/thunderbird-tbsync-caldav.png create mode 100644 docs/images/thunderbird-tbsync-enable.png create mode 100644 docs/images/thunderbird-tbsync.png diff --git a/docs/images/thunderbird-tbsync-caldav.png b/docs/images/thunderbird-tbsync-caldav.png new file mode 100644 index 0000000000000000000000000000000000000000..b9f60023b785de3e10383b46d51081466f576b24 GIT binary patch literal 33035 zcmeFZXH-*N^fyQeBvK>N5r`lty-1TDsR{^4la2yX1cLM)2r5VsP>O&wL3*zO2>}a5 zKzb1*p!6C_Xn~N)Q~vL}=F6;^HS=ZGdOonYH|O3{_T6Xi-}&u*&MTw)I`lN0G-PCC z^mlbNACQqz0LaKFhe6b&U+&I0a*_T4T%ZO}GP1fP+Ve+Lr29+Wx|Y6VWUK;z{gK~& zaDA7IEVAmZCe$>@ZaW9~-o|XMcFImwMEHA!1hNLt$4WGIzHF01?q zVOQ|}t3=M>sTfFbXg={_4Ha3W6Nti3n~Y5NB}Cl?@c;G}LGAh*ne)J?d9I;0tmGMI z0xcO?9~eMC{OXo`-&&bSs)+Mwr9rowq&OMbbq(;iZ~V&k{t?B};7`7{Phby-7$N@n zjC@&( zW!qLL6f-Nz8}`Ybf%`&1R+ens0)zsz+|;qzeW0KC<@e6gk-7GsE6 zlQJTx800i-=U9mIkIP(fsXP{U%*xojv;AysSI1{}@z{Ajid&c>z4y(ambBvpM96N& zmWC}b{eu9kAICy)!r-6PN31IUM8OM@aPOM1ur>bMl^2wecp%hhXfV6M5}%ZF4R$z~ zX3>sIZ^0*~HrwKR8){HOLmim=GXa}7xX+SOGn9@~83;bkohKY`)Li19*;Ugv^;|Fp z^v!VlestZNm3Hk`D|$MTw^Vg*T{Kseohly^(A#dQ$o5M-{2ov0D_TtQ3ogOFj^n@} zV=}TsMnryYg_?rGhoD#TYb_Cl(a7<#b|j_>jr{3byZUqk%cc}y@od;mvCK`IS>o`Y z0S}(8EiyWtVJ03l2c#wlheF%f=J~fL7UlzfvFv}J?q6Q6%P>2M+n;zgxO8}FN;l(! zl2h*h{CneaI7)>Ys1{<#z^$5^B|)om+OlZgIa`uasikIe?vof3pKs)ZTnLXWd%K!%eU z!6Bg6wIK^bdF^K1Y1Qc|Cae_}I9lf|T-qD?Ks`|!T+1bGeLG>w8v}0wP}Kbg+lqII zbz?{v+gh;eVGBJzA$KEZs`?nrA@l5Yf~Z}03nSf~!RgZ-MImeXdm+p%sq*6$5h}w^ z?YZ)uTHLsO&#v& z5R;Hyr%k;&_{NU^plG%C6=r_XrMNf~-5>fw?a_)NN0x=)T+DK))b5?LAEU)zX5UzU z>YaU>Z1?&iH0bvoEOJ%JFa1cECWKC6w<8>E!+RZ6-v9ec4AS;IUT&p7In%I|{nKP< zC?p#U3jK&wyl=lFye@Y-B<*5Q&Bn1H4rJs>_1~Pld-v`uIxe{Z6Cx^t5Q0T!J(xOx zd4K`_`4J!OA9mQHKF{ad{gz0*cIxZ&x$^Kqa!9tr__)AmsA)$dc6O*?XpMqH$@2ws zIe2*0(CC@ub$Bz5T@H%bx~*=vHLaB!yltQc5|lVXTtkU+1Nh@ugICvwE+fwa4A*5G zQt2cfvRmEwtLHi~4Bzh`x~sw-0cGFWZ=*+ReCSNe=M{$!MxNFA`AYFh`=wF>8G@n@ zBgrY3e#h{pKN-vl-asF^;gwYk{L3~^<+VWwMI-F@Dax?Ckr$)>Yd43wP8*!g6J)y~ zYf8nvp|k3YxJA9G-i5ojko|s~lBR8R972SiG~ITL#&YXXPSI3spLDU4*|+*`ecNj) zzVS<^0kB|R;qjiE>}rm-t`ZdZJBLBoXq5*YUI}!fglweD%5hoCrGe;hxs7+j%|q>X zi^VquusqWOF|ib@58M38{5Hn#{!mz?J3VSai`k#eOer7E<7L7z_0IhdOe}KRa^a58 zA*GbGrr-o)=&-sP(5;+0S_Z#9C(V$r=9m}Y&AT}W3CDHk-v6rMP9je)=LWa~^ z9yu08w9%ml1ot3gg!+PO|ask%U!lFrr4sp9D$S~s12P6LF5 zXP3TpIemZ}CdZWLqp5125~(>9H}7JnDK0E75g4z8@G=kJt0>_!xER_)`71LCZAR2- z7aFWyy>E{hcl5+A+x%{tvU`gS$A<3z9Ey;WbJ!fi1=pZ2LfkjXO-S<~0Sss=I=+Xr zL32*kd=Cts=VZ@P(`jR@`E@1VelL(y#*_dz`j%gFc+5xlV3ppOl9(Si*1r1sZPb-} zBs=~9RuieZqds(5%YDXp|NE@Uaup`J2)@J4A@}4Bat>aK0m~ zhvf~bF*e=b3C?!xpLnQ@{Bh5Ka@&@oDkbON;-lmWCEl><*o#UewtfvgQ_ovLzi^oM#g{jI5FrbV8WtMLvp92LTl+T3pA96T=QG?9&XxH%#itt@Db9#>PxD z{?)qzJF-&na304nc|Q7HDf*hE+mSZbGjiukj~U&rSyKt;!lANHJZrGM{Fb6qC631o z0%PP9fE}$#+A4<>aZk}6`?ob(HZ*M)D^Ulo3KBg=1fgZpjXtSziNk=v+rEI57U0P=LUwr-9%cFQD42#MzF!MBcSxm)zE~{L z%_t~LAkE(ZE>&%6!>qEECe3f%qSyv%+m{K+UeUfE&lZeF!+Y5|6sy(ui_`Bx`#gl+ z$ypH4%F8w^lnq4=_sW>dAvd$y@3umJzt5M$Rx6lrA+Kf*(cBLV*IK8|WJn z+kB4SXLX6|jC!kxS)`zx>H=`L9dyGlr-3=CuQT4_h&6j!2VEA?>mU&F_#vb$MB<2BoCU|ww_M9U_QvuScq z3(QiLU{o%K_4x zz!_6^G<=`%lGi*MOxbc>sE6F3lzhnH#8ruku#f_{uk=t@o7Zs?DfEX3M@n;gsg^r`0S98e#h;w1&AZ7p}Yf6Hk#!RLcJ=THe9S)Z zfGBbB`B6R1%LRXLt=`uf8(Nbc(R}d}2F=gVy%$NE=Dc7b3wXxPmCS(07^*Q|hVhd11Dpl@*gxWVNJx)@FLh;(dY(Ka`I6XY zHR?dw(#?Z523~$j!PMT}4?Y~W_2a%lBg!0-9hzV{nH$P4v9odu&RfeCau z3R;5qCt#NbOexRn$H}npFV~8Wp*>X(6dYeMues^5-5YuDzu_kj=i%5|lREjL;r`xy z@!7h0iu_8v{zHlS)9{paY;3}`_^5T_Y*7wPgv)p)QQEd ziPU@7DS9UL>Ripvm--O62|wTK+23i$exIzeMo|I=vt;$U6S-E)h?69_9PP|m@0mxc ze$Q8}O;$};$4^99h0m~9*!(sqESU(U!8un*lc1%0C9&WR;Wom61R7dHzS%EqV;JdI z+#{zp_?b4MnGCW}(Ea}A5TFpr0Q?P82CWIeuOAk+yIMDp${Z#(;=uw30_Y+e8oiZ! zBb5{GDs)oG=33C-TV`+6s`P1!2Th*Un$oORN*T`fQYk4?%T=(iRogk)D%mX+Merq+ zJqsylTW8&7>oXxvL5I~?05jy@q2Fy-Xidi1J62H9J_}#Mb9qs>?m0Q?rKGuhyt8n9 zIVtr9-ne$_2A|T*&5U^5y2Sp1BcD7*aR2KV-{OtSREf;olp(*~Njt|KH>rg$b#i%q zg8on=h7EDSkj7R`?gBN){kQ~PH4GQ>Fu$rq<>F-V3R=6AdZAS#BE+MU#qbA8h0X-{KAAV$1kPr_uH%Q`PI&T4lSXHXXxd3j<5H|;Y5;oPMg0tYS}MQBiwEC zTjx^>*h`Nvjk{{Ae8eCiF0(HQ704u>C>8YU|7e`%UU82*43zJlQfU5RY_r zUre6)YBsBsP@mgZfONm9hhRIu&&O@Km3(lBD+QMH&N0T?_`mICk&m?rN$i!Ck5|S8 zru3O;HDh%L!JNWaG_fN!EiD*GJK9c2QaO6K*vVrC=UQmntTq|^bZ4doCUGM-=tJ0! zZ(h7X$-j#AH@qnv%RGk@vBbXhl00!kHA3S+<}Dq}Sl**&%p@tj&TTVAx#x-6#w4bQ zYv|m|=;B|hBByk0KRaAkWW`-eG&s0qWmF6w4Jr%7eO^!=jZu%VegVb)=69YxQRc9h zG1zwzmEU<*>X*ShU{%1U{!L^3G1fr~lR}#~Cg*i6bL6R(*N-c=3tD>R+g^pWxA)e4 zCq8)QJ?X8+nqEN;KLlQ^Qu~36Ch`P&O$urazC}jN79cb>D6oTI%M$8i=aSN!Cmp?i zh~`qeT!-I@*N6vHAKg3Q7iKA3UMy|_C|)WH%uSzD|BXggz9A$;I{bDijYomc0Q65Tg9I>m4H;1Z~zosH|X%H+a$HEXBUABf5 zXn$}{5<}vBO6t4l%Z1Ko!-RryY?c9*M6ts42UyOxf-k3NQVL~9F!!>tAnK?SNoyN#hPTlc$g~@OjazZ8r zH^_H<8clR0$bN&kukd<-f8rB*%MZ-J=Sg_t?TvXN^UvFMPHvgHY-U$m=1p1y)rs~M zi|R35Re`T?#v;v*C8{2e-8+Vdhx0DfNHY=@H6?TNMp@F$69N`)KhyMdH5_7;Br8AX z_f|e=vjxvPuj1dmXcM1$pUU;#D1$h>mXh>-kenA8801Y|5uy)Ts zVpO_He5syMz>jR9z`?G*Te%`bsGmMyGt^HvQ#^8*R zjEMuuL8ZH>*CDol!RRQw_cuK7RY>9wi${_pXWLP)DPwfcdZ!rX&1;Shr)UpbF6kd! zDrfYQxo0pN?7buweQ^PeBf)Kmh9Gm_8iI+#M8-t$e&#ZFiljXnpI0|1>C83L+C!BTi|<-LxPHUEAe;az!ci2)WcL8d2NyLZuQPT+ z(IB{m1y{<5n>AN=OyO`R{L17tGa4Z4t1Vvs{T=m`Xp!+XNsA&Kc#4`D#AjRVw+dwe z#HeHw60~5PLauQR<5rI@Du?C+eFyoD*@uF9;^_k43=Rg&pD zRoMPg-~Q5DL-Vba(tFHcz)SLu@-|KYzTzeRM*QIv)gg?1ZSfM$=uv(W8~EygQkgEh zOxbwoGAzq*_}Rw_GpE!LUOu{^FKVJbUdF8nCS8)x@Y0zN+e`)5Vf6Y!Bs%LVHaZ$l z8Qp=`cw~38Jh6*DW_kCFx59`0hR-n}4R-mR>MgLDVWFB$X_DdYxG!J!I7L4613I8ojZgzT z)&G&FX3r{NCmI|ayuVhM6cS3?aW;nyQM0IIRCfxYRVNV+XWuP4{uopo)2#Jx1dCcV z_Qq3=)qmLVAK%;%20-b>ZqDw6r#t9k^w(v5-n2YLYrqd+Olw1AxZa!vg7hD6*^^C} zkn5r0RmS%UgYmEKM}LON7fskJjq9jy$-2J@)Q^^O&wSxKQ4zsHftRNhj%Zh>zlb37 zxR+CWVc+rX?3el;#Q|w)23kaU&x`mJG9WrKqajtfE9|mW80%d)L38HEm0%c}Ci2@w z3*CH9R=p`bAfBPW0L2?unxDpHVlSo-M@hb2hkUZ6>VoGUGd=*&Gljc45ZcLs3|D(g zFGM3Ra-w>8LI=+F_`-ihd31buXKq*_Q7BPy%<3^++m&77_Ll~rIcvXBLK8B|S~-PgLmfo0tP35b$Y$+@`qht`>|eco6q|AOe1+nbxx z5jqhzFQRlkCZOZSC@h~BupXtVc#^G;b{_sCp0a9x4RrMm_S(rrO@y;D$hdif^p)0v zp#dc7z?8Sj2wrMLbT4=v6%c-=N8(BzgwnnYrVRHcEpoc%lBiXtH(P*j9y>%Hn|xQ% zxu06Cp>6&iRE)J}VLVMyucU%DsNLMiU}W?7NX? z^HGJ;_|W-K8Ha=@fe@VK^Ta9aI-}UTP5NJiZiBSnFPx?8gHmvLk_K%IT-=;X6(2BH z^3jtDKHvFZ7vVkkkM3x|Cn2yOE0wRGMyB0)zm1JYHW@8_Fus7XIdK83RJNzgG=Irj zI?V{OkZqbV50uj(0#{?N+8lRW%`IWwePEr^Up=Tw-H4fDs9_2|d6r_MG8XvYDScv2 zd4z$~-6^!Jkr@bK<#RsJgz2n8QyCd`%+2~r`g~`Sja(&hYZrE8sKCxz`A%=UJmXX8 zCo?`U!^qtEubG=p&uQpUqGO8rwy_60F&9(7!xYe=HFZex(2*yl%67&)tDD^YqSXf} zIZ9d#rJh)&jro~l*7z`_XU$a}dE+Hs;y&0l;}{$iBW@1$p3T#uW@P(` zw*UIuzQ8weqQXM&U}bPQ;nt7Rln|Z}yJT(vlzWY!o)Y3bKX;ZB-G#XpLt<|53F66J zZ=VDau}li)(2Q%X8;y5lPln#u748>}MRwV-ufasuD7h0wY?rqMB*kbO*ap^MT+Cif zt?=?*;>Qlp{3O|AH^V4Zd&3eq_%3=`@<~o_aiTDdc{#h$>_U=x*(}npxc3VY+}fe# zo;<_{!sSNcT4?RCkO#%?-+miLw8!#TXeY2=Qwcq)OlfUxt#@J6`82?a$Y&VO6B_Qh zK3ua)m{(xmLLJv6J#h^YDQJl!Bea9?$X|W5MeS|xFKhwaSMZVAc#Zfv7_&p#3#aCe z8fshTrT31!1Cdr*-jTe{za6(zQeXK?zGb>^Oqv z=b8B(VGweNCROzKN4BJI4&7khqHVFujwX@vd4v252B+r}SKgeiCHJNuYrZVCIEMEg zBc0VbF+mS2aUz$*Qnk48@c+C zNG9B6TB59p(*`RGW!Y&kFJN2^_G?3mxcen!VTzY&oDzMZ97O_khV2h>0^_q*y3l8N zw{PYO*M|e8$h-lhzCBb)KI4_a5vw$y#K@7zOJhsh*Z5TqjcE?uUPKLDTI&asH;Fj) zV50fTp;|VH1jEiz5)0Bvpy;8rpsKJL{1>y|(HzkMj#D;r>T~&0JUU75`m7$fy zm@;eaoVvtQJh2u1rECZI90Uz6^e={x=uyYB!tHGq4h_K^S4X-RMZ}{#B>-?*x}mTW~^lV)y7YKHip~yTC~nDdi&h2wU!+~ z8;oXT_F&np9I$sbZe5;1xIWLzLCO|crx#CuiF%A_&M_n&)LCMq^LsSZOr&;i$+8pl zcR0Lqiyv(=?y7~kX8lISmO*bTR&^wns~X*qXz{;w_!TyJBTNwrzJVgG-mV=kSWM8r zR0GLj58qO&+D1N`W||n!bOQ8!a*idg~za?_Tk5mrap-rL|xo8zDob#`0Zw41j{uL z#iS(|8BsWM^ViL)iTR6MME6NEv>Cc!Xc0;&3pEPgcwD%y3vP6EL~kQe;$lSx{1`Fo zJhy@NFPlsVh=VN^)Yaj8W4|K7GCK0Nn+c`6cUEuys+P{~xoLvw{V^T!2PHkgkrM}7 z4#^8={r&_AL$_BvaJ=Ze;wubK)TyBO6m4zq`uZ#+;0%c1^SQkk?({Hk5)-27wK%P) ziH+W{ei{@C^r-PEEDG$Rrt?rv$b*7BZ9Zhk!)iqWo6h9i-eyal6jQHuHr^eRF}A3G z++kpKx1y*^d6DPs_t<+pe$x7Ht+c&Shj^;8X-S>p#QPR?m7OvxEz%#x%Fa~ef46B* zNhqRCx0a}PhL&bGU5$eCT#|kVB+N^)9MG$2n;gT6&%S%NQh>8dr!X0%EmsYcK5ehb~cIjaji8gF&hx!rv2U3 zL;Gf!%;p`Nb6A=eais0b%*wz zr>h3#LwEk_z&&7kj^7+=*;m(Za#K2nE`KTg z62n__7u~Z0L00&qTLThdRvY;4NsYN&vx~64%Y6QGcc%KaS$OsEM`g&tv9a}*WQrD@ z&*2{pX;pd7dty4oq7P(#t-P8Nx?mqTs&kC+DDQv4$`pnKzLIEBHHJrba$Wr#9iNdQL}UHcFkvHFDF^=Mn5)-g{hy@Yx$i$;&J8YO6yeT6l@xyACT$z#au^U z@@R46(M-N`LkcYnaz(zpY}q-G>+B!_HeQ&aH=_`%8N2Eh_(&q zd$ucMGS>43&a0E*@<}YQ#d@QT8wE$YQ4YQMy2%V5cycy1 z0PCWo>(}SlWSg3My=vp$%+#)JX2>;49mpFMC)$NMvSM@vY7G4x(`D2Q{ANyGN*Z`C z9PP^aWO^m_o-e!N;Qv?-m{vmV@g}8=f_D!iZ?_khxqbnZ|m#s!a z&sFP;4|^VnvM090{0@*;?O@u;TT`y!1iTbs4&QR(2ADn64ljtHhPs05z`M*!6Y9PD%w&=M265s?tB;zgemlZvQUM&Z_7Xvpv@ zPj+c4sJkO8l6a?B@b!?0fm5N|+=5H%`{+OpOSg^|F z{93^^^jO>OV-IzCY37Ox*SilH2JbBJW}XW;ejWfz|NWWx z%d)|(O`L$tqw?$2QF6WmX5VJM&fj!W0%?{U$ZM0eJgGqJV$_? zJ9XG5i62UU9<(EGb$m!dd4gLLvJAhW=_#A#r%lgil@)^fU%h9wH^}@)l zOWe3{|Cwih;uQkH5ua(Ubze6r~g2MFhO9O_>?Xa3#ux?^S!BAJuktt7EX-ns!i6bI=?d+VFX z6y2|oQDh`eJn_!jjm)$Q=zI=URL9Z$GyUL#_`QX;BSz%cs zCm^a>nk?*a`9q7AU)D?lxn~ZT9df5z&NXdyz2O5FN78~{S3g(!W!~qMltm?&lj|Nb zlw4o+4;tu?_UNnVXWPE6rXWWQY8p=Q&h5rYm|}bgr~Jmqtlbd5ztws9bF7P}E9YXT zx&15E+)?c*GybVgvkq36A6i(El#G119AuAa4|i`@b%-sBePW{%Fs2 zjCcWZD88m*2coF-wU&>^;)gb>3apy<`h?v;1x%UpgCmmUO*(3s#(X0pFi1P2m(k_hBJ) zF?qCoFukA#kTR=A65;t+L+}sM0_v|J0!n|aeWd(9wDj#n-I6U{mn4gP8{%WyuS> zi5Ou2E_G!hnw)OOE^$k?*K=`5M8+E^*V#2Tc2FGvHmwZwj=pM>x8Q#X>73jc`p`2! zn)n=VC?|C_WB@>?(p<5h4t1DWP=3SH^AiaD?E65hMr+sSGO48jCVu3jXC?Vp!7z z(Y=BSA8nzO0hM0?6r3rKEvmA=W+?&ke2H=+0fVk}je>>CbMa}rCuSr)&J+MKA0^)R z?$k#sGNAcrV4YScW6!BadP9%I{zQj$Cpr`-R!fKbknB)c+d6*z?F2ridD`+h<+$D! zG#@*4VwX3}gZK_KS7t)K9ZRa{3`{&_Oi%*e*`-(?cWQSt1~f zBT_J<1g^T_NZv*tp055E`qK;F=sZt8)V%y-?$u&I3EyAeI}V?S%nKrjV=Q{4t{D(AvKyqYxJ{~T0RSNXV2dCldmjl=Z`1>mMPB*GzL0rSAjn3S4H{~_xC76|_> zn*Liz{+_Zfjj zL(ZQq`uz_D&sjsu6DrCKz|R-25C6-x%h+8)%%uEJT>$8|?mrAmq6H#9;QHS*Jfd3! zYNYfJ?Eqa&gOqarqh$Ge_rT+?|6%Bdg9JeCI{y&+u0=m`MA{`jkTsr&Jy zz|CJi9-+OGC0l>+Ctd?8c~%fJF!tE|e|qIJbubk3SiRo`=q~uL*!Wg|q^Ydta>Yfx z8q7ZU8O3?;-;rs4k*Af*3(QU6ksDA}c_Q}j^9%;_qU?LCYW+WQloH1rkN&Ni-w2*u zYuR8#w+3TnW?{)J=@GvBPet_hW57$NPoUfXbN@^B>0{pOE=GD*?B7n%Ps=`ani9x(j>unYo-L}ZB=y8x?_c?S+G)jh7|{hmhwBQTSyguY zD`LqxB|leD>J#$9w*UEH`Pp)Pxy1$=QnhRQ{io!Gif{gHH&-d-i0)hGj_;2YObzn! zd)B93RX}pS$Kex=bD!}~ajS_3UaeZBjlM2_7g3Yq#*eEM0;{(=77#|@0pi*G;Mn7; zzs^efu$3eIjrbe#C0NJi3nRPRZIJQYJ<{)Om7HP6valV-Ha7dM@YQ*Rxy$1?O6{)RBnO5XpzM+#Z* zuV^rS`>;^DC9trKC=~wdrBD4C62}bqD_3JtD8MOcljr6=jJN_RXdD}RbMfq09_=p~ zSp5v&mfS-7y1I!KaC^%Cj%MXlRi<+0^aQ3H z8T(K|03@yCzhTPZceY&s4IXM;#p^K0=-X%S2Xu{Okizby6I|*WN=tP~nr7$ffXT^z z`o39inba`}QpfJ=f}OCqULc+PoNv;zwi&;@!lak!eX~?LcBC_@a*`pvm}lFwG1M-e zw(w8hn`ss=)8$t)T@uC~&5?p@AFeO~epaAgDkw>-!y?uN78{%XAgBtQ-So7RCUGw3bvk~S~X&Z>sf6hT92!MV~r03Nm5vQ4uDR)_c$4c=Ugpy zJq!35Fkx1(ocb%YCfKUdgp^0%cL$O0UTxJReAEoJy;|Cf^Z!DXr1IoF>!$fX9W8D9 zVi$2+?jel0X`eV|J~dHg^)0KJxqhKmF7+Hwu`c5ZR)j?kj*iQ z&6L_02oIomcF@oIqoGN+S2SIV{aVE5>xZQM2$41P+E7XA53A1nP$N7M$A_ArM! zNVkzv5O0N%-TIB!o*Hat=$;h|Q7Wp2d(8Cu*@2xO%IlBI>}KB=u|ZA*onF6$$SRwc z`^#?Bk+%v1MdB{L)~RYfBia52j1rg-_vh=%;HxOBRER=(H}Ik1*eo>%u#=Q)*;bkQ z8&vif%uYQPG;XQ_IuABwpy=AnlZt4xq>2hh)o06vw4b!(x&3^XGeQQk%3&X70?1mx zsYd*45S0w(jU>fGp8OeJ#$Ai+|NeboOlN!^03n8Uin|xU%ze7!p z{3|Px`SP{J=-}ZH763+_r{m%`q~1P*rh$ecRM$)bL{YN7`3Pk%dDn#5RGzw#1Pb0U zQ(;rnIZF(mhO|Q}_?fCL`OkQQAOSx=%zE`-h{U~119TaW|DDEo1iDV=m4>Ix_FUMb zZmC2-&Z26LNV$KJ3{+8sHq&=z;OVIfJk+QRZtdhdC*>|lX;pa6km5 z!|#nxp`m~|FaV(Y{+CFtd?nht`Psgy)>xUvSif8j(?41kk4Dz;PhS6fMDF;U=s;1@ znICEoncoK-X)tn>9E?kO56Tv-k8Lo@F|;3=cRYRwB#BKAR{Q-AOSnV+J@hD@t@dEa zpZS;Mvs~lC7df1t_@ax{re7MyONfO3+&yn#q?qmGl4*Ls;8!*)+}Lw{uMKdK12*0} z+y!3jy1hKq%}JL6jr&N@8#uncs$9l05ee z8tvgaBO~M5)8U`&y%qI!h_N(3HX>Uc9%+PSah^6Vp*NPy7-URpCW zf5FO$Y*MmrP7O?#I4+h7e`mz2)QLNd3a>%)WSjSN#t*6X+ePt1{&7d+iFj1lSPKI# zhJ4<5waRNk*stwE^3m2bIX)W@h~dZ*_e_h}1wFm~@8dbeFmBhtU!gFMV`3_t*uG!S z(Q!9_Ua%JrOsehv*LlsAlXmB;G}Z;c7GS6|coxsXt>=-s)pOy;dvaZu|2hGZk3l;ALhw=wu47nCP_}3E2hC^NLw>TU+ws*07#!!{p-ukj_@<^2>IcGic0#F75E+N z^H_Sr+@aVV65xCMp=-5a{WPMHzFLHDazK$DF?DagCa^cvp^KxXP(U|!|Uh(_~|O#b%3 zZJI&(x9k2IU$ZLmu&`3yDPtoE#KK3n_NA216u}Pe@K(6CMJw9$_D8gGsv2}A)kD^< zSU5{AB-T}K7BY=;jPVeX$oS^&D1BfEfAeBUO=7b<@omo2$=;pq*=24Px^=h1b!SFp z$SLtaO?u}bFXNK^S=NBZq`tY|#`W2Bv9~Jjc3r`<`ZZj9lQx7f`0p2NMHV%7hy0-2 zyk_Gp!yxVI%zdDnD%QQV?A*PzZH>`qZmnl|y-XxAqb#mCk%up9P!M!fYC)V$m&mAx zpKHXy54bXew(8!HPU?|f9MyB)GcoL28GZ1xDcJWLPD$P)Inku#J5KE!Dp-1x{cPQ^ z|7#80_TCQ_3s%*OPaZjH_88*>I&uF0CGyqW(EA}rTb62wg;uwx%jM_j-e^7EAmdv)Hk<&B(uOe zgsfM8Buex+gv^2KRwmmau2qPIxO1gttO#$)qnObC&ZPFc72g}#_CXcPYaVs_h>;;TFv{I^|j z((l=tGTs;QEcN_)=%v7T>og5^u5RU@_e7cT>5xY>>A;O?lxOyqQS^EDd6-c9nU|3A z`gM-OSBAZ7LlNftuhr~|ZT(Uzc@&JAE8K9-xK#$$z-{5v4cs$(LOC12(Nvu|Y}5L| zMK6E7Ts#V}?%yy|Rkl6nhyIz&p-eY$9-QZ}> zWjNHW53LQKQ~cTL|MVN0bm~EX=gjp@ouu^Ez&U}prl6ou8r1`iOz*8a>4V~IC;$15 zdK26GSb>MPpMB7`h$a>h@e&dsKlKE{c!^VYn#K3HA2}NR(wTPh4HxQu@SOCcjgK5m{*0 z&b^r{kde@#wR7|7HHoeB66L1DM{af@(eH1SW-415-5g@ANp}&9@w7$S*}ZS;|5RB@ z+R*b5Zlt!(K_r@S)m}pIJ1c@@{I5_Y@`D=X&zE1h>p+Vk!#!8t`5p|`ujLU_>G9K) z*>Yy@TY@jbEQ{qtP425&cEfjk?U)lz2V9EQQcaMIoExw!YmEHWJo5MB;HP@nFE129 zja2i*jsfHXVz^$vcuK51ytDMB83SVJ05xV(BaI@zspxGPV0(5j@We>|tF{aXx$M-D zi1b%3uZbf8`1AwHsoOzn&xdN(J?FhugrU2x#sxCG$CWlY@I0GLc!tgGzT>#Pz&>Y3 z>t0L8p=7mGdjaCid8BgN&XCXl(bIWHHMKQ=UoQx#ASfar)dGlADM7lifYc~eItl@) zQKTi52q>t4NDV!x6p<3Cp@n845PA@#gAhV*NkBpf@A2N>^JXpn$y!vC7$rcb8PWt=)%o_ zBBv|Z;+6yLW0vso=i=AR*rINj@89naj=W(vc?AzhZYwY8KXIb{G?_!o1A1qzgi%u; z`y%!XsDyx;_KV%^iK05|GQFIVr2&$Y41Fh6?j(QLf=!hxeIs0ow|P7DjfZ3yS<{R` zK?|V-RdBu!doWCIx=_f$vSQiN&w!tit^OIm8sIGV{NEXjH75EujP~EiwMF$qKSnqY z@tm_V$Mi<&4PzgPn_|peMHtpgsh~A0nz-WhPU4ZO30+md-#@<>5B|%*DRkpyMar#9 zS)T);T4bB8MIRv06WBkZ_3pDd+eO>s^R@MAMwI%V`SJp_uCFWWDJ`Ym7u33&Z_DEk zYqE9Mz14$;Z2YX&GyE3%ojNh>Xvrd)uBGXUf9}M!(h>mtVIqXf!{)qSr&6Ei(q+Me zc{9hNG<4UlsqGkY{sU`{@PHsB8^u38KvT)*%`z3peN}$y;lF~(@b|o7Col6U4lEwO zeVR#9uM4Ba&P0llN@L%kZ`eAPJo`v&*OA}&WARebbK z3Dwr`?6p*l%zrN9L}$SbkNQi~^uKo0s zM_>V#4Kac3vz3N7AJQ<$Q~)@p=V$f#vr}_uy{t{;Z2&uV86b|P>@9bGW_e#)YP`^$ zF_&@bSTgWRw7-iK*mS5YmsXyPTqMoC|82q_R)DreQrX@vp0L5 zdNDBmO;I4mHB=R!U^$Q%bTQkLrQUcU&FvhoOnM>H=jI* zgZAgY{?AzkzkvI?sN(0pJQA%r!x{}X^b+>}h;c0WLKstgj)+d1>r()kSj;s*m1@d8 zMXqwb&>vho#}#A9+y2=Q8`i$&9$GpyQwy5`+~XFv_Pj{*b@u~0tx``r!n({>LdL3e z^SATTV8ImR!t#y&5bkP?GYdUg?kZX0e~iFl_1+U)+Z`ELLe4Yh6>OjP1*|blUd@5-Do|sm+ADHQ}y)uFB%(!Kms?3%vS+slbl2JL*Ihel>A&C zYn>Gydog%ifA@Lt3eULmLm~f?)2svIIsw{`u<$WF-D0;Ewg{O1Qi9e+00>n%?>+3q zVg_*(Ve_IDA+0f|zPAA|?9JVIeSFE|=_VR+^CHCndA5}yGqq2495$dr1 z0KeYnZiD%K5YpA_RmZr=sfH3#95nI@H>x58F?|`dFpg=gf7pC z&I;ZykKhqUb(LDBruC$8P}}ye=Q%T?Zan+lXPSZu{Y_+zs4Um9xW3jUBXO9Y%y8kz z{|OTdr4!8L^n6?gps);EWr z9nlBY;Gx=`)Hq`dY}s_{lW2Lz3lKhq?NcCtO}M$y*_<%X*QJibBu>BmlWMO;8u0_L z_4CxDMffF=tgZtWz0Q_xGVnK;R)Xw96>XykC%=!!{TtPI_+TC%P_D9LqN`%WJ)IAl zuqPu?BO`sf)6J&G6L|$&m7`y(;d~%3)-<5}tTCrvhf0!T{o1ut#Z>&SaeNkH88Zgo z+hI`5CaOIizk`$@zdT+Bj)z|CTuFQ)8u)G@-*?9&xKAO7!a><*nGCYo=2x+rY&Y3K}dKr^=99L(km0RMQ9?M8t`7>rBy4eU>PUeV_*Gy3tE8!!I=xMRMwE zJ(B6ceS->$_oz2r4y+A}7RR@7b9eH$IPHONjR1W+xQ(k-6d;Au@Shsef0lDY1Z$%mMMYf{R9%Fw>$cAeVAGLT7{SjZyXm<1z96tKf8KM0f z{BcCH#`|(0-PfU1~X}+;`6sHfwrJo;)6np{+0sG91$`$ANdm{n-M;>tMj+-0ur1}*;z9iD;T*r}vW za*hpnEw}AT2^q_2SWdDGSXIyBa&EP{Hi5x%jHe<`H3Aa zOTeqQJEaO-I^HIIOt@A4(RrlY;k{x%Od@~oUqfE!cwV@vk@5DHvrAuYnB!Ud!0n={7H#w0diP5l zQOoJl9MwXF5Y!!?@vam=qdAViwlv_bvV{T?>fGC8X&^Kt8P9*E9ALfx#Bqrn&7ibwT*xj0qGT@ce-Eg|VbximlS$}n$i1v9 zvhC#e=nzIo&|sjmnOy||=U9JjmU{9$u7yqW>6jjM1NQ7+1+~ZNir-0q)|L!Wzw-mR zWHeR696)b!-_B2fpW{&>@b1Pfhk>74M60Ams&_K$jwqFj@RwN5A|f=R{{2klI1}4 zz}IN^fT)?x*{_wplWZTvjjE1ER?~M+)^=x0mxS!3Z0~QNmQapYUlwKmK49H`0Sh<( zfuxn>Cco9T+J;;Qzkz658e$p@yX{JwLhnw4#;_}xbRmY0e?nX(~sTp0oTYf7}zs{GCTVr zzyGyJnqy}}_Z_|DjP~NVN{^6CnJJI3!T$`8Ml#_`KTA;af03^rem>-hi*gocz0?L| z9`xHE^DGMdS>e))^o?)O`oEf$8FJ2`)W*_MCNg`Jv9%Hz$j4&-IYcH>Gsd zwf*7UrhnyqK%ZB@QIj|Y6kECfNglZSrIU>{;RQK&KV+{rC|ux8L^Z#YU(H$mzPqI7 z2|7MAd9xKB1M+?Dw}XcIf)0osjy%E|{&$TtfiZ)`gR32CLtkQ1;_*5@j6eVE0o_7G zvd*n-hwAxv`15cIU%%%^^&QSDypF#t#8b-c_ynw+p$1Fj6xO=AURRQ8|MX{>nUYWR zQ(I$D7MW7+ljTZCGLwcOV^ef!b{Wk145gK&Dky2u8oHYnQ0cxapHb^t-K0}qFhO0w zl9KrS<}F3A=g!x(Nf z=^Cssh@^oEr=%D?68_RhU4=3!=1mQgW=l2*Opdp!fzYm6P#MxEKj)Xk`ESbP9#8(x zmmi8;41-}6j-A!fGRLRhX+0FluI1O55CD5$!gFBw71$L8nzmm(RwGj2d#}i@w9OdT zXTHzWuanNGYprM{R!+a}KEO5E1t*t^GT4`PmpujxcZ24Oi_ytysIZ$FWxa`~2)Y;g z(n7(^YxMDLY@2Q(zn+uiC31BtRLG6+IX>2vSQ}9JY$Ooa+1N(-PJ6jof$#Bo3bQr_ z;%if(m7ep;N*e`L+O+9$tM0@}&Cfx>#Jo0{gja#e+Gui3<9!e$`1YxCPnj4HHu>uc z^FrmaX`+u0Y0k%Cei919H=Ph)>L1R;>#@Z zm(w+|C8MuE=9xEh&m%H8uflE4m1ejBk=;zg#Ya6ueY@69VU}#%qV~E#x@e(h*|LLD z8TjjKW!S`}T>3`AEp(E|3hF$t0!LYko?df9==6o|XpLU~b2Sl;JZtj=jUOZ54)i}W z`pee!V9xK!z(Hm88dS-pb)z77OI68(psMtAUo{DPU@JWZuQHy3e~g<(y!N*VFRjiv z@Yvg(hY+fcb#%t^_9oZ5FdzSKT&33FFD_qCj9Tb`({`A#-lB&uLcf%vikKk=35~9E ztM{i=3JGprn_ZVaOd9u*mku>5gE;?`-5s^LC{gsLl!3xG zAHT|B`%1RqwoW=F#O4oURB3iitn+#CblQd3aM`b2rfKhq;j%b4VVRtTFvltT%(+oy z4|l;6!q3X!UEKoWyb+16*6jJO`Jz{cE&PUDq}R6w{c0c5J(u-(y3^7+MwmWin~uIc zATyCLaVS6G^b_mI8X-DEb7vnu>!0`%HhDS3y;;8T95pE(8V0n4+UQ*qH)^QeEF3K> zEL+|v1Y{+6)e<}M0b4PUQNFj)O%2T*-f^>0pYa^E8?w;J-P24AfW-c75whgt=S-KV z4C{WWG#5{F{r3FO>gXnPscKVm(2G7&u=1zRpvVCIt~Xg%Lfbve{0)eCztG1++8i_? zD#2%1Am_BfWeiTD_MO~Vc~Tfp;m?TO~YT#eINZj;sE zN-u)OT$7Su)AltY=IRIT^r0xw&P;o0H{v63Q%Do=L8EP>_Z)CLoK8M6U#y*q_8nts{QnU|_-@o>{*Nky`wYUNiS{#`pSbU#Tu!OI8*STE@m(fv#IJ3H=AtzqFRY zU))DbN1FpHWY>v?R@@#EjqcT{3Bxt02psd$2y<2kaq|XKVOndL+yg6K)7N-=_=4J{YkCd_H!Ae4 zv!ly03OQ|<+VDs7)}&p9@b=<4@D;ht0CkWrVgM8-&yARGALW(&)i4Co;z^L^k`37~-Jy>vr z%moi+obP>{RA3>!K%+zg-2bG98anmmVN|JYg}qyE`jtNHe!PD$rBSJ3m%HHcCJbuY zc~I$0D^UuZd#U6{5L9v-S6A{Jhvjc1Z5VVEUuApam;W_ic**vUob>pRUZGDjM6XQ4 zq|m$hremgmrTtcydmMrDy#2^K!Q7Ii-L$U>subUaKl}ZuEGFMwG-Vk^L9|X8Uz{kvl@Pjod`q zgN^BQV30FP#c+w{)+$+!hqX!-z?Q6C+uKj(hfbPT`su?mDk*^()s$VO zzz(?5V~W9G*xm@KOo@+`_-wwc6P@B~-g1d#=a{mc10htGVLLzIkja5}$b?i(Xm4H9 z-`SFJr%4~p{XRncx{0gKWTus=`Bv~r9bL18{h7H3edAQd2_1PEG$kTH(b)YIs*8O0 z@z}41%T3tayr6@BjygBQYZ1p|on=1}Gp$OENVR3Z8AB?meS7&cuXJL#MlQ^P5+-x` z-0DlIv=cq!p+bcye#e+XRxo0rQ0mD``l}aqBZRJ}Fg#;tq?7qlo3uH2_$lJ>QKE-Q zejfpaFBqAcD?Uu~kc#cD>(5$f-9B3Ri6S=zrMVy9S?y((Ma`sQ6sdXDf?+%bqFNnd zu+TGZp=UZozb#1BvLhpJxDsx)U(195 zn$Atfjq0FLKIsbB67k?KPH(AKm?{1;^f&WzkL3xqfr;=CbW&u_2tJQXs&l-g<)TO$ z(r`?nCowSgSw5j%fzU5egdf8lK$kRqfbEQC)MWW7!@rYMo08v z5TgQh$KqRVR&mFp=#D1%mw1J~EO`Kpy3fA?sX<{sGbG-`Gtb`?mhwG zft9Q$E#G{ld=PfC9+@y#odMz_Y;jmaH`e1|=hLx>w-J`SV}#EWMXqyyisqyCAYHSS zcDD_~CCunXOIw3bzbR4>Vz~wSLjgyjs))%W%s>zZHfS`}WxVSx7a^XY2&}$*Zei|v zVtj84A0`-rxztE;cqhr7E_9;PQ*UT3I>xo)Rd%BT-^L7 zFXV(>^vU+m${JCFdaBQM++Ki6OhqTsYULY`!YzPUYnZDtz@u1JWHV?~aR*(AWR`3{ z9bLPqtZ+7C$1Bms9UpfTb+^&ompX(btSU1oLn<*AXIIgOAA&|DaAGMvC#6CtDsnQO zfXAo*WU&DxX_YICfD*!fWDU%_Q@ zqrthH)0;*al?Nc{$x$=6b;ONx8(vb%fzt}SLD^E~yH3(&C&Oh;5^nQc!F8B|SkP_x z9f8!XMTJX@>v5)Y+G@&d5k9z!2>~0RO_bLlGh6YS5x&(Y>!;5e#?E^@tr~ZC`cwr) zxeVoV&(r~gXaT5zU)~yw=iw1|HVDzn_koKqcE?rcUX2-VZVx+jwn6xqR$X3?Ud+9Oh|11iNy~FX?CSJV2!5Ux|!8c zG;FF{%DN{H)uh9BuVzpN%C>*co4+;Y$uA^MS0w0!SHdSGO?VNG5&*}t-g*W6jw;-v z_my%T;rKHx`HPRToYa$$4BzBZtd!)(-8)Yvag>YTME}W)D>?qtswxSFJf#^E`sV_h zO#)3r?(00*{DNo5Sh9WshxZ<19`a`^xFDu3?@l6HikNn2NocW0H3hRN-{?MEQdu{S zZh~i~@u>!rqV&+&dM@1QFWBorN9)Rv!C4|^mQE?7aS-Y=;V9$)D{Dz!0hTR_{C&rHhn?0BEuEhuf`TbS6p)zuJ78nF!RZjc$5q*oTF6;wO;l^Ge4>=|4ls@0jIy<5 zni!Er+tj*Pw2@bkLQmqFRG5@Oxe9DyqPema4u6q%-lD&mYTkBDl%F0IBz9&FsM(Q8xv1r{T#ff*5YDqr6mF3$GBZ(Y>O#0MlRo7DoJIb=ci!Sq1BcJ?HK`f+KXq~+b*;ul~i*>jB)qAIqWXC255+|@78V$c? z#(1L{??USy;I^Ft3-G@QsXZ1P_V3xkX@{vO!c4hZXT01xu#~M3n*fs{Y{LWtMiWp| z;+lmM8$ITIwlV>WWXM zyA`Flo%cH$z4TgS;K^t{mkHywPea(+2(L15Z_#_Q_RfjIgv5xs=@hJ=UFTPAu4He|vZ0BCJQlDOZ>#vuAf$ zHD7i=0iX9;#MOd%WUexjZA8_TUhjQRx7k<-Msc~K7+l2V&E7--cz{8OCpw9=;s-IU zD$Lfij)C8oD##F$%eXaq1AQ)}RLD1W^O@!&PsEDK5{VrXg3z>iIKRVHu21(XB!|xU z6Ma^)-qt)H7*`5*G^7M5O>g8*AzZOJ#2;y1neN&3qXZkU&(M07?Jq>hZqk|u!4Wg++m8=1ow_k$X1PLH zmtf0S&f(g3HDad{Cu-D;_D9`2DaTq8Q5}w#e4ZW3=IAl>PZ(Ote%dRwuOF-{1p>nF z`D^TBq(GyPZ&A*}RV|4UIY=oXKZR|Pa^b+I1z%I^yAt_3f81}T!!}gH93PJjX{8|k z_h@^W1eRhZAm?ih;mbfH zCB=T0!)gzrE6|Bb38=)fsrAkPlt8-oe;1blQ|XV-r0U;p)Iy)01VE_YZo_phHTw1VVCO+MaX%-#X{6yY9McUDjgdz*~z%*?Y{r3!(S;WDeXW1{n^V(O8`RHdQrBaRaXHWl-9J)B6EDK3Mfze}uTpsmxYb$u^ z#p_FT;GkNyui-&8kB6?FHec@Acz&h%vD?`%Ms>8W9sTXsMVJ2wxPJPZ?|%9^a?jWQ z@x{S^kQD@W`vw}pZ09|ADMgD>t{5B#2V=P`l&4ax2!3pbB*G1GAJmm35iUR!>;5l3 zKj#CVTS;j>tA5(E>h~{z!;z*GbLgqv`+>th$_Jqid23hRrhOb(;Mew64J-Z$oc<28 zR#VzNwzoKz+e*J=Sj}{@2-1PsFOAuM8c`RG5zKNpvLDg9t4pJzM~WhKd{&W0UR9_n z&UNz!$^>}5Qt?`6Y4_pX{dX&>7_&Zl`Y@_wIC-$$j(*xWRFmj@(@iG+h~@8w6zQ<# zQ>)4A_p50Lu=O$doFGrIi`R9M!)nUqDItqVi$m}~*ah^xU?=nP?FZdnbWdLgamMPHaWxa+>H>0=Z+FARUeWW> z{{UXEHJSLl6e$y>^Dy#gfdjFRI^OITkjc5oJ9euX+&6DJHW;LS; zY-L_9el{l>XS1?qQP&b>+kP_)G1b|QvNq`P*G0?C{6Z3jyrD1>+jVQ71T`ZS$9LYW z?kS4lR^XU}gtgq{kJW7KEauud=MBR={_gvshZUK+N3bns$LK2MNLzXDl=El9U~#oMZXvlGiSGNopu)LGzo-Yu=(WnTEkk)?c&efsLYvXsW%^t+_U+y_58iZwV3saBr?i+Aor6oFxv2iH>nre4>j=1$agiF61CaQ5PV3MfApMq7W(MRh_)~=ufZb!}&j< z)-!wxtWVY`UuJnqt|L|Rs!XBfW@`Mr5LXXi@$2L=bG1ajFRc!(ULmipZL&tDFsbRXnTgNrn_j@Y;yaE`w~ z-n_5IA0p_gDx*Gd)+$rq5#y`215PQQot^NQ9@NR?sMs6TJqtlitZ`CiYJ`45cAW{5 z;YI8}isHZ5n zFNQ~PX^rI;?CG#$)~KX~n?d5;YW;1&XzP?qidZcRf`J>t(#E!G4jZH{M!ckv&(}YrVgeyXV#2&2QQeS-g(z^4v$rBN4r} zdwAw*gRZw@em~C?!!GPuN7a$oOT)M`0orflb(Q^D&BP{r_&`I?K_^#k)xcAV>Wtt$E__tDJ^7G*%xB@0Fej=@cTlctrlj=y53!yNh|!>>nD!Ud7cw4wL)~x* z=(~<80QoqpHbnFqu7Q_6&+pr#By!cKzym#1K#8WF^ zo~9OS5I0}8*?;~FhyMXR$M}NKVIR8IjTQWXgZuyqvP{u_Yq#ff1X2ACH}_ywgXe<+ zPH%5|n7m5r=#f?1`=R6d)~+E+Ic2z0Oe9h7uL$0)b*&2uSJwktYf#=x3yZCF6kgJ> zs}FUf^XyzlPb&{+P<1i?Ury_lt*|9O5ReiUi_6Tl5)<1WSx|+i;nRHu<~SM*yv7cb z(X`i0Y>1d`E$;L|>_YT{8)4d0s?$DGmB``WjkkN^Ys@d~`B*m? z-Md!(>!%;|$(mbNeW)BRl@nCYzcH{W?|gWuY;Y^dGZzRWWdzi%Z#AMrKVuXuE)iKzutWpPhKdiI40paOWqXH+%$T1czgxl2?B3tB1!E zw?agZHM;;m4-4|WS?Ouc<-cR2&J!% zt+lL$sXPSPwET?N`lb^aL?7B$xA2Mc6I$um*`}}~QSJ2+7a!gPjy<8Q)kDs)QMx5@TL6T3VOl@d9d-?h*Ll9OWo{bQ;l;ZW(pzL6q?f_l z>VnczJEOiS*D{K&84XT0|<^ej&@{K3S)0!69elzhi z3xaSeF&i+vv#pU=*JFPlBCv6Ylhg54y}wgjk6WPQxVK2B5xuKlLJixjbYo{%XbBQ{c^>F)>c!yP%zTg?^ML-3Nkw43{U*fQwX(sFyzXe2w*kq_oA0KzH`Or zCR9GG+`efMw<*tR{M*`ztrtf|r|%WZT(^A5t4S33{BdZgVw1!qD5T<)%%a7aptx)m zw5V3H%|j;k6*awZZJB8yrh3RWIhwTBDlT8+z~y_3m&^m2B2nbEvT7Qdpsl`zS$v#K zw=-fyQyjiE@+t{}oYCJjgARPt8v7!2UrbQd^uHb z|KYRsF5%*2i#mWd8)q4*rfZUoK;66a!M`~oa;FBMRxeRH^#=dL#0-~hYuXLicfLSav{WSv-fY8 zPyQKSmxZ$fXgv)g#}%7{cqX-fKbU6Uv7`f}()zaf=QW9rsh!RiI-j=s#Iw_hLq84Q zQf#ZxK;=@te*=H4?NhFm=$%iR&7=sXpEYfIm9f6W6+F7Hm#G6If6E9>xn$N6pJ+zi zEU=fLs5yRJb2I>AT%Jt4Nfy4IrB&cu10jMB%^eJ%-Da->J>~74y)?Rd!E{V;;}MtX&-Y7ZBe1)Nj%hA`yNZb z{uiJXh*)?MwHf?|$Gj(mB9 z?a~9M11VMs#a)`-c~si2F5SWSPk)QwDO7&{SC2OE@Y7c&e-;5Jp8UV~=hiqzvHh*V z-#&I`LU)`=`g)vw#0Q!R4==$X<+h0By~0o!yhLv(^he z+S=>D;(t0}0=+(>44iuYr1Zfxec<3}Zv44>sQ+(I8pWPM&|R#;NADSc@H}5f-0eL- z&AY5i1fn+;T)`xeGRro=TG7kMZ{jACG2<`fl(zNy)XXV@xLFohZp<#hclZ87X24hQ1~U}cD{D{er&fCf3DmaZ za*_M&p>FVOl(a=Z*p*mlXPJlJt)$hH4?1Jrbagx^_y{Prd%|k%xziv)n9+c!$03-k z41^`sz=Du^27avnea-TTnWC1o@VS(;4o%h0n>R$-#GhR+3^*aTqtHa$h(78mu}F{bWD zhp#R!guP!?x4I^;gTIs@;fn#9G&mHJkEWdR3d#!&(hDDO_SKlYYUbNo|4}cIz$A?5 zarIK|ZNZIJ%VW(au1?sPYD}iV``YETg~*9#R?$OIR+zQj4gA&&IM>CLPccuTz2@qr zGxd0SK2H?Ni`%W>^sv&y%POuB5&aeni${fqTRU~iQ zoKzN6nFk42u{h1Y4DakyZf7YjA7s$)V_Y22RsdT*Bb1jHkJ93XZNdgFHg~;gg9Slnmwyz zW4bWDAKtLC{;WazG289*uEp&YL|8#>h(43$e~_nTV;Yf|<&XC5^KY`yAaW1+!BURb zr{0PVR=ll%Pn_WjI_~RZui%_Rk19&5)rpnJ6*96&n^f-poK9QbW&f~UT$%y71@D%Ei|*MRwifJs~l5DCJ4(tQV< z!)Jmaf8V)@b!IE$o^o791SwPxZ@I;@k7iX1etmYIW@$_@%qjo8E|LC9TATWm5Ak%i z&nc5F+oOiv!>1lAGEHI5)VAD6?)rVc$k=&AZT(yj39M0L7n9kf8LR{8yzMPJ%FDS; zx3LPNn>XCp-UXky!_E9hE?>cZ3B!dOQ9wCGtFX#$dOw>^Ta z6sHB{2bKOP%%xt6>UY^-j*9&lm~xQS0msDarLB^C{x9V6wx|U`!^#6@nCJ|SzSxhW z|GGtDR&KZ)He5zov#7K0>{A65@XdRHD{N#S+MJy?+uu7CA$DBpSaB40h;3beYkf#6 zB9(1?q4eX6%dCC5QwJkA2NJB{FU_qImlLcaSv`d(6;*|;tIIjR7-38Y3r9Ijw>(Xz zh)Ow%PLY{dg}r)6Cs|J?OijUJ9bx0@^k^o*>6Arz<532y{Uyo%;jbYG_MPbP(Xn2^ zq5~mAU_|Xa9ul8Z^uDVwY6`E$3m_;y@HL)h_$f}=#!+naQf2Qp$A0d5`8;8R_RP-= zN74hIpq#v!m=%~16r3O|@Rxt6psSx02r#Oqdj)b_A_!o;xs^l}|M zz9(bt-$L(9!c@X^!VIvRr(&mLXJTi8bf8t65AunRtb2+YyiCcB7d zY1U_WRGH^MaAg{^S!I`H&QX_8Rx?(|?UYM>GU1oij0eW$8Wqsc zpkS}T5pTJ)vB(t5L8tJa!C$o-3Kn}K5Apc#$>7JOqX9n7qGY(vKueM*?g5sf$@G$M z@HMLB`KRiTP+3@5=rWJrH%iDn7JW|huF7i;P#uRYjkQ?8CdqB910L8Z0<3eXmERK5 zQq5r>;Ob+XZCxd|O5xKsB1)4nP1B-G2Wm-mD2Pk3*N8(~SGl}!IXAI!qqON-bZKK; zbm=XQp{T}5Kcj*Zmq8epeV2wAauH2DTo45L@j{L&WZPGC1nDKqI6^ft$3r|5vC;^w zPRR0H=pngI|7kfC`h95_7pcEOnL_F z=eDm_^%DKnXG2|GyzLdg7|dpusH)Wii3%TkJd{BGG~C>G1-@RHC-9pM)&e_8S0#jS z^c7QRB*ZV@E<1KQKC-Vi8p~NhK+)(i2YAn2JTn4xwRJJ?I5cs1ok^m*l)$p1OntJ# zjk;Q>1XebUd|*2J356TWR>vl{YkVd8{mUjlCy?j8DPV@u0`u&HVoam(3GCBA(XfYVGy$0_w0m_`MB~5lR1H{M4KjHoYGh_Sh#xD|5Kdi5AMzt*e zd_R-er#&_e(8*eY6sThL0U{Gw}wJQ zEp8+_yI?|3Ew0P1AZA3@E+*x899i+vzo38+&qcvyHc1SU1~J>ml59>v_TQ6;=9M%5 zhX=pe%H8-92wRs}&KX4ww?ne1@d>5Kxi)*zFM9<~R5j@V6~?qT+8zU|I^k2RbUHz2 zy3Zlph*=3L(Ae!o37hHjU@|kJipb;IhL*TXgLp=_W=^)kVO=7j&&|^3@SZ0qp*%%DGxx)Xvq{WZ%TiT$R)=HNWCF&M3X9GfZ?o}kH-(spFY2Ne&cNTB2l1=z zVl#xn2w0l*c_$xJFsVH|`NFl{Q_O3XK1lv?VSQwMMBru%N; zE2T<<3RV!2EIp8eH|29~;Flo&D?VG(tG!VoG|_~N`LarF<8PNb#igXgqD6rgw^vrl zi$!?vbZoVmHyEM^c3q}Px<$rJwzs2Uj_dZg{d%96kFO>iaVOlqDHDo}8AY17jBW&; zk+qvcudO7}7pHZ?h8vx*k0V=usgl?H@!b^6wD=T-h;p|`>n za!YQCZT0q*Qa{eU>E#{Lw3K+)l2L)qyHAs;i|~{ULAI|ruRZfwI_|U5EE{WJ z>IMC^oku@DZ&~2ufqlTVEYzb0-VX2MkzFjtUf6hdfOwSVV>!Wj9!1Imrd?c)FeC|+ zhW;2LlD0>OO=auwXS`5&V;#LQ4G^r;($z_DPeN0V7C4#O(G}w_+WluAkYY^A&*zbL zvMnlY>^|8NNmv1Bt9?d2MJ}cMuO3cIPdrR(>FJ`AEVGL#M_C;)O!ZUJ3x&QGdJpBP zaGx*od^Y27eh`g*2-D8DTisHid&-Wfb(O%xYe-~-Hp$u=z&Ohbn5At+lK zW9E;#7BiXx+cC1c9`d^LQj`ytw^_%V|I^5ULjqHbgoBWaK~hb%(^SX_#@h_jYU6;KtJQW=p>JQNxB(|NXg0ve%n)w%@L-XaGCn7C7 zYXHP*uW7w6SYA-oXW>YIHWhX-~;E4 z>0*LHCYj)EPvoo|^+|oXH}qnk?@Weq`Hk~MApzj+LCL);0n`$^QSM@8(I#4MyFGCR z&L~r1UW#s|soDV)-NY@7?8DfWAazdofoM6ZrEu6DmJE;Ez(p-dOcZWa@pG3-T&mg3 zL?T4S{-s5vpLdn%M;yCY3nDtf1k9+Q9eX47E!sZTC$j_8uqbiA7XY9EymMx!;Jic& zwwCtTuRXpbT4?aig!TrzZggl_Ma7l6&aVvcE5Q!pMiIRGy<1dB4Nwl!=}l4I`VK}c z^7Y%L3Ek81;Wr|yoBXW8MEWmJ3n@ach7-t?MT_MD$tjy6J**0;MRY=CBzSgH@Cw1==JHYbPX_RO}eFH!hlWGL&%5pNd@CuwJ3ksJ` zsL;;fT(8#7idNfQO3|Uzh@jfh)m!6+^@z*wxO2Mia`%i%Px<`lMn zs(SpS$O;zVNuWAc&8|egTcf8%2qR!ByYK`D@h1T{Y;f4CLH;0Bu|G}MxM}VKGePThO&K@bUdnGwAA41pzrK}{jwToF!g2rA8tX6wEcpQfJ+;X9w4NKlqM`}!}(+8 zBCwt7*F0*RuZ&{@+#&pg4zKNIcv|eody@ByPJ-X}7BJbGlZO}d#{QPE8q8HBHhe~=ZWS$>FKk(?FKh`DBooVcRT@G&;4OjTzO0_Zq794zl;!x|?|hto%qD znq%8Jub!pQyeR0@~H|D$m7fdE&NPOcy4NhJseV8-J&| zpn~(?=uhvY9)v3bqOP}|+LqR*4@D1r<>&6adQlGu@%OrhhUE4x^tMsVqG7T8AHz-AKm7DwmR$c(b5b%hkjjt7+A;iQh&ap81`Aimwbo>509JtC8)sf$ z-0jzQU8glBTWyw@fy)WiCMwn%lVgi#X>QR1xw~FAbAGqCT%n&T6WJ%es}nVXH0kbD z_2$DxoHEjbKl6Io#q8UNoDDB--`{-4P zmQ6&QXS)HfwfT6Y1?5p_>wAjH^JDZgnH+lG-I}m-}d zR#Ph(XG>9NTF=5jvzID&;@%6p9>4FL*GIxdK;6aYNLbjZWgC)3{6c$p*aH~?xO1r= zepXJ2^XmYLTLJK-9PnlZc)tCsst3+XM}*1lRsiD$Ih}_;@&<6rpyhV3TwMF5sJ%ff zpe=Cdmul?jDn#BPo=Ij=wrI#rhwtH6kF)ISa&om>U`amEY(%+(8jKBSea?cdvla)| zH+m2h*KRzS^ll*eH4#tOVL`OF%B{ijBvyaJqq+HF#zT-hq}?bqZT^?AkiXyr^6%`n zQ}Om}6>L}uO@Z9@JCNI+xqNL8PMTq9frSkFr131i#*>1u>0eacSRTX>H2t}?aLEca z+ELgLgZgW+z2Z`9{;Ql{W|}?DRdcH75{KUKF>+1#CK*6vlLLh3tz8Zlwt*8r3H=`Q>g^Ub%k5sUscHq_dtL zivH=o^c06Y#I+u}Nrm0nzKKH(Gml~chPnhBLshJ#JGrXC2Y+6>JhR(`?IYa^JdJq0 z*U(n4C_bEqG&G>dmeS9-9ujrwyLlEr|9#YBI?PBRWQ?~Xu*63B7>A-ELHbH1e;zWOJ;Vaf_yzrHqXcw<>{=5A-!zzSK{V}LX>-7%MB08ha>n6_(B(Ir>1^K&4RaE!H z;E<;62IH{pnL0SFwuDbNX5&tSS~k;VuQkrMBLp*sVI zkqIOpl)+lcM{Zvve{!?Tgt{yQh>S5S#sEZ82o>AZmtkmv;qrs+ZA;i>CJL7 zah3hNQ<%MtNjyy!%ZlLd_ixZt>bs07EivI~5$|%sW(GlVI3MqJb63}>*t8qt#mTdD z4pWEK<#@n3I*L5sSJ|M@_TWFPHqXG9r(7Y+^4&xQO~gz>Uz?RiZ5Oev@)_J~@J>m6kJKYVvrw_g{~c}evQO$!pOjS6NaE;@S{ z@rvIE*G@G?0#tz&@?%})LKN#s8utBrH~O8Qf;d*Efa=PM;a#Sd7sC8vkBdX2I)V3y^lXzt2j@a_p7=T3^1esn=n{oV0%O# zzBT^6F_dOZJtTtNKSvgHslrf6v`(JB=poFlk75w^nz8wn_H#Y7#JKdC%W--{h}OfT>7>T)Y6RQ?GlL-u~!zgmiRzuDxxCBbrMo28EAygmqPC>rOQ0 z$WDGpv+0l0#AP8Yb#(CF#Tt2$A=-nQlm02kSUKZ5APr*9oS#KT(cXG&k;kwG`w4EWX5^kkv3;Q_Qy-S5cR zZ&hImob}R+bOq2fkYeXeuRrY}9YD>12pOo22~x7Fr$r=MV27?~Hj82@q+o^dIuE0G zJkl;(=@qK~EujV+vX*{T&PJ~{(J2Gq z?D&}$s8_bI)?X9Sbu%RGntVbu+TLEcwSw4;p-7^GsawBE>`>a9Mr(`1@{>)%0JD4D>xuO3I7_8|mE;GwRrROc+Gze=gM_dCF9#x%6{Vo^e%h$*5gJ^ZQoO}qeeHamvRal zK6i}Od5Sfd&9Wgb7Wk)!&}?FTQqM6KZ5=kYq^e)4Cu$yy_Ui?tNTssbQYgW%vn%T3 zX1bGpj(_{Hu*-)Rf=lJjpd({8xU(_lsXs8o=jdCO*=+)WsvY%2*hG@Sa+wBvAy!p0 z_@Jl~HdGGE!xo;i8hqn4&`f&5$&m!mawAk#D))nqPDA^rX36;v4JLAlH>5x`-A)F` zm#-l}*bJZPE24|9TTmo?$pD^m2$nKf@;7;28_>izg-9t$$h;==C$ou+GO%+7>^X6TXtY*^1Y-D*2CKkZ82E1gVOln}7^5xTnwmme;0u zewDWnHk=!TdT8r1>~aXcx{}Vxe&zzL>MHH-CfQG$-jL7n({X(O=i^R`4KlEGJ=|ch zZHLKTcbS`As>Aoccb0!oGvu6$(bgAza8u=8t$wgMkly5eHf`QRRU!X**fcV*r^wm` z4}xr-qun)(=1tOmvwj7pp)6e0Xe>@ijm3)IYKB!d8CC6k4fIX4-)*=3(HB$>1as2 z>uC|e>aqng)k9GS;wmG$WMzZN!s2zoP8tAjCR+0BABLfi<`f~%$hL^YOpN2TYXH7c z7Zo>qhW>kZC~@*{ZdiIE7NBV^u@--xBC^YYCM@6d1(VffVNudz0Pyd}yrVFMLN`MJ z|JmM5)3BYen6Wo516yTwTu*7dBPY1eGvi%T0h5O0F!QB$wEW$G;7+#W0WfB(NRQ0> z@|pYF!@2rOKh|D_P3kz$CM3*W3!W|M0}$vZ=WYGhr>$@mOH=YGnyZ14;p&g+wjE@ zT=Isp!GYz=eN$64Q7f;12Ct8%L&{3e-PD;kjd-g4y@QyEkugO;d0@X&@zcAF3AzF% z&hkQ`m<^^%o-gXlKi{WwV3^H8!cGHEMchv;OPWN|$!bQP>Av0$$6OUs_J;FpRZP&* zCDy*aBPDuS!kls)Wdg`N6wL3jzrM0xM0rM{VLaO$Ced^IMKgQ-=nL$w)~mEqloxrX zmL+=)_hX22%2f$EsR^WOOp6xqSfN@(hXg>BJl1IcskSDlp#M*J`G(uW z?c=hxe%sjTl8}U1<-Uu5SBI~=*=gOpvD@-r9pHi7E0)rNYLI2g*Fc#c8m#S`nCdI2 zX|^nDH)CB8w}P2Q;5##~y2W8Ve1d&m(vx_ht2A;`n+dv@eUw}Y0tfr9Iyd{pw`HJqXD$NYAd zosMyih$lxZ+K6&8Y6P)(Vvb!X`9x@vyeGNe!B4ZY=QOnbct17=m}+p050t&O0`c9L ztwuh*#A#$tfqCxUlE1oExx7?wu)O{fBT6g4QW{JrSPnDjISFcQf% z#1?_{?3%And3ia=R^hz#+(|H?-J40|v*?~%cCORh$`x@eqc5PSfNB^yt1P#G=r`2| z`sQ0U;U_}IS=K1|5PiwBX@E^f+|UStr2fY(O6ASMP^-cJsEdcjzus0A7U_z{#RhU~ zJSeu(6R{GV4TJXpE)+PE9d5|#`ZkO^oW7Lg=G{8EN4@mpwe2t)Ep&lDGSVgy^ zh_d-7im9?*YF4$&Qk3X@wQI|&Z6zRlS-+2w+^3VJH;c$Iq0AOeXwV^>2<}avN#;(e zc81%^lLg0W_${+_S$9~0szldtq;B$NKBmz#$=DDDBxb-KW=+6`_*}WoMPP z9!I+*-h^+x%P?sI z@nE33X0!9x@b4|4EMaG9)KRwBIBGIYy{+@eK^d_MN#zKG2Owo99TH4}6 z6R0>B%l8~Evi(8PvB>a?+<17-K`h6em3^*OO_~VdA?_6$mnR#v#!Vc?Ij?+A=w|1% zFST;{T%J6Uyjp3Q&6Ae#<~W=Wx2;cA)9xP$Z~HA1W*u0}>LjEMp#hu_Tksgq8(Ec#Fm8)Hz3qHHe|2K4^c z-m>AC9Ld|&bj_@%>K5B3(D=jRY2v7y7ooZ_p)b0)DZDdiV4Gbx{d4o={Q?&~98Y|a zwp(+kr|8_=KqxK05*{>ojgT&xd)HHR?I^@Soask?d_17%t3vrv%M#854!u0#_mW;y(v0*b3u{&+9!h#5KLquKbu*RD^wBLB9 zZr`5VO*)xi8flT`YYBvDZKq=_Er(X^B5D2<%YRt+I}zp~!(Nq8>FTu^+hnutEsU3!k1iHtksqu;b!<^AgVg zAgSrmE;V2M-58Z3t)$u~Dw!isU(nD8&|Bn0KI(j+wQ4zEfOPu761*CGq961SgHRP)`8P=0Q zVd7X-70XFLr_pvaj5~H;kf9#6%YFM4KUOiR2s5gdoLItOC1Xj3=Vl*no*4fa_B*6& z!kmJd>ux}c&saqajU{u6)WQ{@YUa;)^K3h>Ky{dI=ZR1dzj#EERVnJpBWB_WFWL$O znrl-q%qf@hHLw~VVTh-x7=;ezvT=cjF=e5>Vr$Dmf1m#n;>`Svw=iG-7y|V^v2G&N z`Kx95x~Tcn@Z+=HyejK(={)`O z_d-b{pa?5M#5UA5qJEn^Q?0CDhdQ>-gbv3=1JM}+i|rB1Uq-1a`()YAZl_i8Q8(&(`AJl(=R4tgNr8ZUIS$Xck!TBe%qnu6|c-MlftE|i+4hT`Rn^o-G1l>{m z@RZa6gba$<`ljo?H_)VnD_YaTub!0&+*)2818cR_W<>!kKkuuxTn__^qb0vp*`Rge zpy+?l0Tmu)JBD|Q89n&%=knJKbJF-h zVJdGcjJmzPW1y*ohS}KB%^PO^2*0%3wAJLX4a^Zs3NW;4E$T>q{a#040~iVDzNuP* zfv~$Mxhu+rn5Sc0};vH5qaeQ-bg-Sk!C@f zf_kzQpxg)pnEqV*xnK5TVb=gnWLDet`B!{uHRM!B^{)=7sZZ9ik-^SDdunqfYDd_1 z=$My$rn-sgnE@bpi~4dCZow)zzn3>=EoP-#hN_Cln{qnC|E0uTCs$c06#n z>%;*qcmkQ9bxbsnr$GlRZk{GfMx-sehzQ{`HXcy6|0S=aB=YBzha^|%t>sCJBNBWw z0LLhgzWhsQ8MXqt!RTwRYFn9pvez;v&yxHk`D))tJ4fA*)684Gy*xe0U)hY_>2X3U zr@g&-Muo-oR;AE z05a^WKwRp3@~2=Lz*6p^oYQ%6Cx-vK5BQgw);Xh_q(2R1PZ2v^qgS8UqozjMVupvT zY`jX^)6Qg-B%N8}md#Ilieie8b{a&l&}Q3nUXaUX2-YW)mivm(1gPl4$Hv(6iZe-E zeO%ktqx1)MZnD|tbTHV7A63oC#7}-zEF04wo^`r$o7Qgke%Up}fM;oAQuk>uq(&X2 z*sPx<7IzcX#a&MP5Fu95eMuEDGn84h#9c`Ja$h3Oxx*!{eO7LdnzRuSjd9svi4Y+e ztqxJO)JLGmahtKCF_UQikl-rwi;8-zUpdtvG!f{tbemxL1RwveEmBm*aug_@y z2}AxQkax28TI0K#Oh7S8Ud!*r{+rr%1#xZVPAao6KpW2r)&mA1^g#Hba*sUy74BtL z7FRShB3F1J2jENXe>7cRW{X`+>R6H@0gKQqROrlLJ*V#}u!l+{&G z^lncy!_ylmJbHI~mCpjeTAq4|rk>=!I{s6>K0kHSK^3x{NCS$NtFNY%Witnjz!)QA zK=IxM>RSKVnvJJkNj=wJYHDB`^F!YsUpFUgg~J6Mse<=Fak~rZlgT029$R+_2gbMC zv4V*3xGX;}vdw{Fvh4xgBoFe<)$9hvn=1`GHx2`BSfAlnj!F2>cAu{O@=VyDSX+$l zYV)7f@g@Yu7{V6rHG2V5J10j>peHU^T)C<8W&O4T-d0U>{Gg^c<&?LML+cwi-+HsE z{+N_{&(L$aMFUDzbFfUC&5A1J)HystoU_U|qK>)AjX>1g#^gIM5K-J^Fak1`6H~X;z047v{j6ix(KzKs%X}1kqiB;u{>omwe zHutTMk-%$jc2(8|87^~wFb&qQ$k771^2hfYdV@O)5I_q|Ptyu>iRMLmf*hP}P6&z( z`0@J`eugn05c^@3_0mqpb&2Z>NsIH6=?Gtb7c)B@g}I&REdDGOsNl5JFz{FEA~FP` zrm$Zr7};oS5%qkzz#kg41+)k|BRGFfg8a40&FN3i=>G-1f$9b{owaZ4(%D*y1HWS-x?NN?*1Wp$eM~fE zagSEd$`vyeu-tu0S(;l$=AZC;uffG4})L^)o;JIT4i{KV|9< zsLVA~oIigzp1=u#zus?0%RS~1#wvAyk4n1XuXa}mqKzS1_jOU;WO@3aUmvIrnBgH^0q;d`$C>2za}IP>4F{nwtl z<)Nl@@`vL)Q(iwA`&9hi?bqVG`u2?5gIw6@p2{9TX^>eHy4)tnX#>yzwz1Oe-|pDX zHLmsnCdl~P1k(dY!F!D~kMDec1^i*JAPTUGl(a77gHA01)A>qQF8{egC8ZzEI~cxp1xKR)TCb)9oOZv;ws z9d>)04ScGhx8_g_C+G4`wrc}htb%Lm4b@Lz_a6oC% z{9cR$V%;zF(3Z2pO*D=QJw%|?rj2xvUKE&Lt1AnwlOfbs77x6H-~?8Xwtk+ z3PfIC>rt+hRNj;TDahZBIZReu^mTv0z zo6M1K;b%A76Ll(-EWTzH9F5Xka${!2zt{e%gs^N@PSn z$muvR5t(B5f3^4CQB9^@-zW~x!1Im>Q*4NUQ&f;927yrRil8VcNR5gRkS1LSAv%mY z0}7**(7^(zlt@dYB{s-FAOQk|B#@{OVt^1KkdTBV=ZZ7)J@5Ox>#TFmcgnZUTJlF0 zEBBqd>}&UH@8AB3RG5FS0>iw#g;EuEe70jb_F-}v_KOEb*NR}6O$Y6#p%$!?s-%ru zO1pZp_B_G5(XH)q=polNXNw8txTF@t?5gF&iKx>zTTVo8P0yNSpP6qq^Oox7%~8JT zN^8~!MOL9otwg8x6EP!h(cY-$@bMi(xmDNwd5~~ljTAl!t#j&fI$B@IM@)S%KYXmy zD69y_bdXiq(3@CD!WJ0ct9B`Q`(W0A8rim*?Bp3{C`-_R>QB+=i4xr3j*zGtQ>3DRuJQ`MhwkIaM46`h* zUM=A{kXsV=M%NIyCrPb7Qvb3gUm724M%XknD^EalE{}hhd=Brjtd~2EE0R9Em3Dri z7P|Kzq(a{(gMk{kfrFvtPQnF5InJuB|ye-n?hm&J19m;v8S!ZmOE0l`2sQl7{sECI;b*0vk3}QaM zHGyl`J?|Cbv^LJD<3?W|jeIs{`PirsXZ>~9L>jlbYJZ&YxSl#Cf8B^?r&;g; z*Z^Lt$5J3Iv!lFJl-YB*A-?s&KlXDGO=SLjWSd-naA0|5uX_zDs-O5IsP$qQ13Dm) zXuWmNP`i3>9eCx~8*d&W^G6f3F1l*8-DrFnjM6BnOCPCMZpi zBUn+yZJ2?`it(poAyiqUGA=vnu$xTE%ntKe*j*4`qTb0IiF+c_#YJPL&gC26q^%PQ z$$Fu++&muXUdoL?QA+E%QL-Zp@phA9EIKT;zO$OQk|4Rw0DY)27z=Na_@s~xfRWPs zzcztO{dPaf^^Y7ZO3Sy=-+t7r?#6%`sqo%|`w2+s1Su0g6`evgah) zK9cxg4pLJ+d2Sfi*0JbL+p0gw#H@3GSq4`Q{(GH|s zKBh=n;5PnH$#0rF7foZg<3TfB#qonRB~Nrd_-URv5w`0`J5m;Q$wPa1$fwq-IzgUZ zQ)29aLOGIbzREJEHrvhs7qBi;eJoIuE#GYsBAlD>f)r=9@r?JTrZPc%7ySr`Kwui z8@*ZXO(I%mP;QoMa$;(}{;Zi3bCGaM#?S-}*6W_cR^eV%ihQZ(3A1J{cZR>po9FcH z1NH&_{ap`JF}RFzm%;{nHdn7Rz-9QDnD6CFUV4NtOY1}{g2lQowqfJd7*3(2UX3WZ zUSC3e&3&XAlPQ%#E6lA3qwF>Cp7U+ov3LWD=;c|-`I@*=`IeuObf4j(9>$fYG+VGq z+Zqms_3VBg?~G>fZ^k`YN_xml9umW0AI`yX^10PiS;G8J!Q6|uU_bJm?>|Ze+QxS z;LM5o`7n1ee|{9;V$|Ge%ZEUbo5Iz5=FjLEEhX(^Il&^&kJ(){(mRx>dkt$cam2&o zn?zGKNy=DzOWIM%IW)9+_4d4Y+v5o4a^xJ-`onRC=0$z=rrJq4=iq6D!dGKVU$D1E z0HaznG&$>9kYR!NxC+>1BQ5eQv5F%0kS32Vi~V;wM!SysrHr>l5Q0hroQf~vM|pC) zqo3oQvwZX4-j+Y`M?i>ru^bwyXcz9b2caWN8$a zs{cNCYp+h)3<<0C>lP|w)Q4R@${!{@$Pc@-KN$UuXG56?Jk|+;0E0}CsMW{4VB;f{ z8e^pb9JaFqPksp_Nw-ive0S3FqbK4S#MebmlkXj^P)E|wpea9*hz;z zNgu;OGc;3gOiPN;7W5X4Dm4Uv#?&lOHnw*fk?&D?Z z7MZ_7A+>)I$2}q!EkP9Fbta)DN`A@W*12nqYU2rew0x|GY=ai78r(OnHL|C30g z!ta%4#~dXSF=^HTHOdULMY zd;W;Ph~Srp8+U5_;z+r%S(`$64AUP@@n5IG%hsptKixO?{a-&)1sea8Zn(-<7hU}y zU=}}gR@ZumT|)Qje)HEKy~POrH~Pe`+p$Of2BLWN|EI6}09IMr5;f@1A&tmh1&cu+ zzw&zB53lWl37b@i9*yDjNKW7R1a4{4DC*~TU9B*C4a9?z>+ir)st&`!|DCyUFsOQa z@h1vgq8x&%BaFHDSdBznsv`4`oSa7Gx^KU^+iBCQJLU=%=Ruye>+bHYe>LW6I9_0$yZWzZVUjj5Ze&?d)L*$T><3Gi@YMbRW7$?|+|z;D88 zWlZg%LpNc$kaZwL(mTf2d;Ly1;ICI;xbdbbq8v|=V-GZ%)lH5`JKFa=uTy3@7EVrH z?k!CDW+2d^)?tt6EO}|nljC+eBcV3wV?LxSW~@iP3xz@CuX#9kyu?|a9kl(2J*y8& zo|v?!oEPBNRXCk9X4S-oL=V$i*|B8YI&EPE2JT_Lp{-WCv0Iq+$xA4I)TiiJF zZ%yH%++AN~2HY>X`))ngT{(H~w_mjgM)0rf>$i=G|M)S<|HSTJ6xW@v03eY70XI#^ zWgop;Q4;0?eF zC!$Mtc@4&!V@qTKRbp;ZmCpu_8>8nz-%J~9nMTr1=F3M=I+;PgqoQQBZCc&-*(WB& ztxrnAWE0WsTknPB?-0}BW`%a-TUkimx7d_?0cT@-Rb)J#SQS^-dT8!yXPTD1b_%nh zpI1e45>xG+&6Knpfn8=K*2C%p^g^z*$8fIoyMN?{vTg&>TYq81@HK?Uk17{O*)? zK8(KanK4rSu=HgmC5|xX5Gwm!whP{dX9;Bk$bo>`2TXx)&r%d~W>tUU{=L{8^o8~@ z->Bhuldl*W6h~qOPmtfeU@9*u;*zLam{HQwDBpT)HlOq;Su}y0qT4R>t>qKVL7n}A zm^Oa;xr5dy_9@RFO0Ca}Y(MC7x^eN3*LK+l z=?g5nm>~cdffN@zt{pmjM7buY?wIY;&pX>+T-^itgH*V`08c4TSwmg!9L{=K?|-L7 zyw&8JZ|F?G>q_;Ogx!NybsR(d3H9vUQPi-3k4!UZ(s1=KL*vJzqoZf_;)l6mQuGz! zQg>T%^ujEL7a{<}2}-E2iGF6N4256exm(g>$ySw|@%hA)xgaV| z)}J6xrUve?EOg1j<+A%hzVgk@hKr1b2wxbz z&370@V`?re2QgB|+c#);S=;AR7&OZlk$LryCx-1#O0w~EI8wloF?`6m=pS5&*ja8M zS94J8w6XjIcOhal!I`lv?o6D(U?~-skn%ynn#nJ3Rfz-JU)}#Ru=M$Onz1g(VlaVIZ|O%dN*U+_G+FXW*N1#k=m}ctB6K(_?mv-)!5^)&KE_a>_}yA zmChyBylk*p=dgw%J4xe~0_Y`svRI!7^)8~wroXFkp)d9e6YXun(`k&Qd^S3Z*Ut^_ zNojlBToU#Hn$}Nn4d~67wi$^$&-UtGPf9R>e$^60lZa2FUp;VbIIR%-$o90i)z!M{ z4h_Ud<(97PY8~Y`&Ygot>T!xc2s%p3FWl;evq@a)LaPn4Q0&VNVaxoS$;jNJe5w8U z2wgSt-U9QCl4&tLP4CQPV!nQug;557FNMmNtFqpoRnC@y{hVI!m3zmzlNtIir;4Q?_$hpi+N81l>%AdMb}zB`HrOR&foROk@U+ z67_!(g|ep4o5JtiTXX$h$OlkOMm?pqUavekXn?ldA(#|bhq3Ajn@(_jN!xG{DZ(_X z%3x%q#$l-EW5b%N>+#{x(;jN;i4`Eq!n0V~2asjtZ|?($xd#>EZyzipwXXP`AU?dG zsGZ*-D5DT~Ez;)c0CRFn)-pDdaH&E2i%_%bPAr>HTe*w~U-Of-fRW zjLnL;CP;!~*8xwcr(3vLxVddSeC@5M^3!leHk?nf$k^0kI4Ke{3UHJDru0O)9P2h4 z>$H*Tks@DBoNZ89ZOhl~B|h{O%`1jstCP57g}E|=Z}(6B;A-|e(VAma=l8SBIV_%` zR+W%~OD0u|v4#nJV)dnMU2j_;95)i2MN4M;zh8EXw!2k4&6gquD@(%42yq{o4rBei zSjCR?>Jk^<<9Uy4>zAF;8!UsVjo9T}?Rmf9G@2}+AilPSxwyA$k0Z(k5S@>z9;VzP z^{_PFo;wiyti1fx3tRzk+Fi_X05b-ZxA zxu9usB_8G;_U=?{YNo`le)Pk5TJrV5DMjTTUV?VJj zRdyGcw<*ZHi%@W=2Unm#1X>U@_0y^PPk~4Y{D^AL6^Ie1 z&XtKicGekD(kW+Bp+50h0!tJfKC?BKh7OmOwCR8_oxnLqLt7M%3L^KK`N?FD5k12T zDOC1Zv-a_r)J8I2Y|3uC!bj%2g%_TAd_s_lIWdH9HuYwQ%tlQS%9+mX0m+y<91`jl zLS$3dw0wafzv}E#uHG%Z*31<*Ir6>jmlC({M|?AIm!&C`n`|vBiQQ3+O_keP=?v(l zi$DfRvGYlZu}}TZ;BprrhOYGdzm=-cHXZ@94{MU7X+3W3fJ+%qR~hd>1Kf?idX?%W;#X zP3P*5mWj^-LdIw@6oEY{`oG&$!qe4F-FlO(j3o$65Nl0TjRN0ZmI-wvRz=E^Q{){H z6L+R1TZm8MWP3}wXSsOVG|$1bh1Xe@eu5kGZqH`fx(2MA2v;ErJB3h!>#rC{yjy&rRd=~-dnCrWN1Qz)~1v4!Hj|059_s*IWU>TXRh(|Kf z@wK<^#a8(JHW*ubJb%^&Q+Zf^PP7=9$XVsN^eoJX@LLWaXA>*RZ;XF^?MjRB%Mr)yDVcp|B= zz`5z|tc&K}*Y{Q+spf{_yDZLD9Drsn6JpktdcD zuv+)16*w4sblB_JaBtqUyap6*L~p4T6H0ig&Kwsev^k+n#IX~bRSP&BD}VmFV8oqY1~sqYDLrN&^keE zNcJbcu;$Nr5%mlWkv})n&?sbS+-_MD+cUDZ|B24k;(P}^dF^GMtwF!AN*>NG&;Pb^=XT=L+L9igt+)-jW4oZ8zar@Q zv~EXpA3W|RH<6|a>twjK!_PqGt z1J)lJy^n(6JNv%`nvF?lNciX*^`rV5ik%e;W2tYi|A6GC8{XE`c6OMDof0hxbF4C~Ig9_kDO22 zE;(oAfrlcoe8}ThgT|E%TE6!4!y5NAr^#l{#7lo%a`*o$Z8F5py<@^?^3I2dS81p` z?dHQ8MR#uLd!=Oc4D^(#Hr&*tLFdqrB>mJYBsIinlg_UXQAvcAmrj`VyrObPfOEN` zE5nu87Y7Q9hT`0Ap3DVk_504=On_1yo|7d#p6ek)%I0$CU~Yj{sp@*yo@({PPP0Hs zT|1`T9OSPlL4)nA4c;A7+Z$Gpf=sV;L%eekOQrIdk2*ks0Dn!jfssAEPwR6(Xb-D5;5JRzR&UT>OY z?!P&_JL`@;relvaD>aTZs~1ghj4HSMvEFg@V}WwohB)rs@xwG>xvpW=6_(*ghVC3S z^ZB-TzSG7!k}=#kKmBiyA*4T#391e3v^$b*pnp_9;Y{j$TzRIrgX_4EkL%bDXhHi6 z`O|??U>TGFP}zcK=gdIPORZv8dSgl0dWZ?=&^@>EPKUVHdG*40kw&QA5P6yw3#Ar_ zu{}9KbkKrCRn7}8z7i;++>)i#pm%=kEj8KBPNOhH znsa@p5+618>^}E+p-weHJ#g_J`VFL9(zj9!`UbCp2h_6w-A?~PH$@B{-n7AcXewdJ zi;M+43es@F19_0vtF89yYV*_NvzD?v%TEN{TU`~rJ`UJhtm75Y%#ZBwYj=$L)f!aK1!Js@m$1s|5ed+q}7nqb923GnenbN ziDzO~&x;(_ygU={Pp!>Y>7>Aopzi>sE92u}pSqL3J8AoUcb2|h9G7f%59PG*=DSJH za_JcrvVcV#XmnT)YHW8gkNEt_Y8t`NrVGn6&lM|^K`#L(QHRclzw#{K;;9fQ@3e+} zYukPRre3x){_0!7Fx=6k8!UJC z3R}T15cR>k&l*Zkjqka9=JfkFwHoC*IUO`T}*b6E9W^yQXQbgZbwK{0nbym}G zYdG1_X5KjY*cI8^wg@%zAu~SLT_)MC?w%IthR-vG$?s+6ClO>5hZh<{`iq7nar3R* zvgeZN;>m)btl!eL?H)hx;_<*jcdT+OvNJ94wkklJAr9kTk|eW<+*P(A2b0x`?9Dv~ z#x=a@vpUtjsv=xq)oK^)Ov-(oVbE5QA+d?NeHLD(OJ#q&S+H^obuJe&Sq_+E zp&GS?M39a=Pw2Uq#s5zfZZ3!I`8ah;InC{!V&(uk-?_MB)9zp)ck1G_HvzPVUwP}_ z*D;@f$=rnhc%#eCNjjLl5$BX=Ml(=hD4)vPf0i6^uHAY*68|cgTJ>BEs`;@b3yZIc zo}iY!Efr7P&FU)(7r7{dOqLk`oU= z9-8ouMIbXcz*mP)=cxKd$g@%j1!XXMyuKtn`>)mC1s}a_XqePjyh*Q~fM512974tY zN7LK4=|PL-t1b&}g)#2Q$K8%QTgaz&PS*Q0UG&^CHqmhLuz%dE|FE2lR$6ygCj%Je z9UL&_!^*2t!obn~C12FEw4N9D%Jp*y-`azPH&hg3ij0dbs$)z%%|kx*1+m9+mBq?b zk{RyJ^O(u^lZMKx4fQI(fUeiqNu$)Q|AV4^s7bvb-u+wM2}(IThPWz;p_C?xIc-xp!hT2{QOR?olnJCdD64`aM>0Ao_#jOFU0 z#7PYwmNC(Euap1ArmktDeF&DY>_KP`yEoTR;b#pyIq6lE+T~WJ3=pJvm!wH~he2a% zamU;O(a;bjr=j#ep<3K?H8&1$2c;n@lcRAK3gP=uG73SrZ68uX3ZiqJHsNk>{$^Hq z)=JN2BhG#T8Xairyfjd7SHr(GzNc{MC~CcT$IRIn6@5EngU2o5C;MDcWviN~Q@IeR zC(xY*LU-kGL#OCv0$t7jkspInE)u$G52;~lZ|sXQhw`Uzd2(KlhwINGQfxo zQy9JjUe+=(OrTU+i6s`gxm{d}f#s*XNd*!KT)2jMzZ0eRa=d@PP zpQj|$DkPLl%pYW&HJEYYypl8nTnBb9=7mZ#hBcL68%@!w%63;T*kb5(q)s zY4TP8bYO--AO6$WoXUex6;e#l5VdU7^Xb&jAq;S1S8YeDC?`S3IYP*Z@s`VH{pEL} z-z)*d#rMnIsX5egH1gfrhUp>KpwnBLInjxiYpb8vg|U(L*ngLSA<*b5Z_RrG4W|Kg zxcqj|y`q8*w1fSNUvdnm>^ZuW55{M=bdj3s*}jru8}{&zKcJr(aQQmQB^64K;TN@`UQ;@@=?%|Gr0#XAf& z<5|87e;lz5w`VVRkpu?vAm@S>Zo?g3dxrsQpU$e-1<#i+Ra?r|MTZ*0w-m0b1Ogz$ zG$al`K8Jk&Tf^>kLyI zsmcDK^KS-hmCd(LJ_ZCttGqgPnyhORVWsOmK%tCu0ZU?B9aGt_1m?NhByb_)D$fl2kJYuma$SY08jFEqH^vzH<(sYNMSB~w2d{X;Wg#~-QmpdqMsP>f|)f?EW zA>*AF4--WUO!Tl(wjLwr+2izmI8UCg6-d?cZSpFm^870 zRvvr2FRefP;-cZ|{?mU6SQMMGwZ)h zx+*Mj&>Lc}k*vYD`uBJfRPF}^?xa}ACIVXn1JK7nXBIdj5*HHa62HPlzNKd5pd0=v zI@NFJsIzqN{r4{=8>?4G#wf`7xJ>Tgl*uJkNjISC>PNQ!&=iO|RNXJZOe4};BX|*} zNcX(Y;6iEo|9>;~T7ENLpTsoZnp@9%RAT|Iofn_v0M@6mcpQBxJjCvGj&li zoaN4SeH&Mqgsu_x%8~JSg`~lp-8;<5C_M6?WUrTONtdX6YvIL3b)?F(!n{cXZ9#rO zp-Z*V+Z4e5-CKDuA!zg~;Dk`FmSZ;lEW-y0n`eq}tSVFg6mt$?8+K=&4iYT;c=p!>N% z{%TYADy?IO3L+`yby#(mzAHN4X%%PsU-@OOYzp&=jI#@f?b+T%3s(YYre9y{I6GuH zipDPbrqwya&=Y=OtAgquY8BAy;fuHGEv`CHEqR(-_WqG2%++Ve=zy{r1-sP$cc95)5`UiAJuO4049BRsxiFC<3GiQ_jC52CO11&SJu{srtCOD0Og9z z+lj3uPomp7g^&|9eJN}U)t#+8!T#OfAp{+|Mgt|x<{L(7sgh#91C-I z?kx;NQ$GEy=|TWGB9$NRr$K|u7t$)zuiO=_&OMQ}l-NT*r5v=L##Ysb^E?uj9zOS} zXWnYnmOL?LrU@ND*XbipMwzcmb5Po+H`g2G^fe|C+Jml{H9~xZ(>Ca`pgr+>Hj_Zm ze*WraaCGXmj)i_`rj`{11cs%h#OBuz&|~|*I-g# z>&pAgpf^OPjX1)>ol5oSyHPz9)1pPZxXXoTpeG)W1Dgcf|Nen{3KX*042E~evY&sx zGMJtA(~w{lpv`3RsMSO;FJ~71?ZLuN0Yyfv#6Dl zyMWJcRWEvK14nD$o?$Q&YNwmgw@mCvHE;nB-T)WTZRGS}BO5sChQIb}8l0PY2~rtY zi*u(?-vHeGuYd~fIb{aNX6ey9`>YmU%m!A2*_7A52lx41Yb18M2pabupRVmO0EPg4 zT~)H?*v-pOp$bLNg)NWji)w3m(pr%`*R3}j2Szid=c(@Zl;eg47NNi)IrjGIQnme8 zMJHhL%gFjt;n+~6!5;9ihyvAly&SjK013%;ZBc1!r!g$1iQ_0R&Zp?;roCq&W-;LT zL2--5Ho9JKq3I?o5=%ax9~<(5QclO38C;by{YD!kk8)-#zKtZ8R~K zn}=c}Gc`dDBa4GBN$^4fc0Qj3(2RaUctV?^CfbIW#TlCa044V2HHXj_LtcJ=>rEYw z{pq%m2qJ?`*gE^+>130sGe15_U$brmMF3t&T5U?3xmo( zsX{G|()nlF)SK^S&u~D+gLX8VmYY9Q97*Laf%4#3vw!z zTqCu8O29DpI$KNVcqGDqwNsFgYXKH8erEXULau6c zgW4Tu;IAR2BRnzGPWr4FBkTShdU(yX-oLKZvxqaxOH21;md7pPApJ#qYw%M!Fe4+l zM)n2RCvVEk*gF@}?t`AxQhWWIYE7A>!dj;K&&;(&lA{Jbupd0hb539&4cwcgD^(?} z0H;UT=0bd;zwEzB!&{rn-t1%;d{J9MM}j#!S+UbSfIw=1F$<#Jxe?!`z4u?)Og>R~xxxFl~ocm*dU7OwJT>!(ig9>(R0fKCUs|7@l!G zkQyuBdT7((L&8`PbZyy(CHtjio>*`y8pVOVJDCr8I6IltDA8Z?II@@R1bHEkQ1%r? zzvdak8ChX6r=`>oM`4S0Gc)@z9j_JY=SWI2sL>CbIKt%)wz0f8vyrA$VcKlD3&nw7 z9!ZZpp-*flafcpJ;+pCylK|K{fGPnIM@cWs(@Qy?xbzUGkT*{G4SZ69_yB0dde!A4pY@?!tjiJ4ROD-8lOt9)hF-v z(p#A?uCmcF)nkU1d3ksZYhKq+C*Z#->M*RcA8qyb3>%~SlBCKEiCyNe-7&LqrCoR{Gq!?zY3V{|2ig>alk{6W zT^q^I+JBDtq62N>ShPO97q1b0L$utYY{eV)tM}9f4UD;WZEH4EmGobxT@R5z{UtEz zk+nO`r<53wa{&fBWgG$IHp z{NwRy{VrD^347!e8QW0hUXRig9N0zK&tHOhtlC-j33_7*epn~Rbpt6wR@Y{ou0_IN z%x#!iHO!^mV}~OLCOV=)wFXv!-5;hD6Wk`p;`JUU);|nFsM9G?TrOk+WR!Z{${bpaf)_{j^c$ppe0g=5t%$5mA=>-q`yf}|@kSKuzmjkLB~SZI zxH^ISG6|)D;;Yll)#*-o7T#J{i^UHK=|fTKi_+9iL(<7$_1W(89r35|H8T1mW(A>u zr6^pkuKh5W9Jnsj&uq39Q*%jnBdvo{-?o*MMqoSP0_?@dS&0Eka{oNBwZ2?-TG~#< zN63=Tcr$NJ^W>|D?`IRqU%c4;KxNzjkZtsSM#^|h7ynrQm#!zxLy9oD#!UjetoxNk zT0?NF9zf|@I^MJI=|N}B3(NZhgsCn2Lyi;QwkP-oeLQDfmy9e`e`CrgUI@^bzadSt z#BLT@_gM2ww;Kz{UBf}+$ zk7_AHkMIIyX>kB6NQm1zl9eo`v^B8u#lFsPUpA@-J0omS%#TcmJ107laH*r6xd+vD zyQ%EjeSh+LZ_?J(E3OSg$53FNCdLG9*-wf}nbe#74S}iEd2@USa(?TJZME?8KCWp` zX7>>yS>)>o^qK%!tg(J(;^Vp+cp)RJvbQtLaG{nnM>4Kg<@VWEMDArJ^}suSm#8DbX1O8xpSB?r_1KvDAYqXe3PR^Qv9$hT|NUYr7B36I_Mh2~)LTN~!S#~UXR z6w5L6olb*-i#tdlo4ETUQd57pmHhtY3$0xN^(DZo3I&nLPY0it{NKbd7egYl^Ajtf~2(gp}UmA`uipaR=d<aBO4*y!0rnU3aB6)jBQOU;8pjK^*sfO@8yc=o(TSvb!aZ3oljwJxac zJ%EM;0A#^v$5w z-rYjwrh%{H`b(htuxLji@JBJ=^n;};|F)0Qm#*XVVYUuH5Ll>OXK-eYBqbcUmtO1<{vfkhmxJh7B>3=2)_yguEnti6(|4vZ-nKeGM z#%I>}Y@JkFs{iLxai6uuXRYyBYkbxkpS1=Era^fq`25#C#b@RCSvh`Ij-Qp|XXW_6 zSUG-F;*up_9gv}&68~#-c&xnZ5mRlU8Uadep<(AyRWXK z_jTO0_T9@rt=s%jvkUAJuaD8F_*Ip#%CJ>G^#<&yZ#!JF#^^oR;r;ywvKlz5rgrQb zxEeUBruGP&2#%_$dA!lR29Bz!8Nb)s2abNe%xBts=9|yL@V`J&^tKaqAx%dohADM^ zJ5?&lwKKfL65>Zv>9X_2G2MN0+TW=(ROK6Rp1qq&edT`(@9Uf2txT|oRTPB zwL_L?chV+=iA_u=!pZT(>P`o~b#e6s>FsmdCcNq`_T94;em{CMvl_kc#Z{c+$&!ZU z6Dk7UdsCSG?BtX}=%K{PR#Ff&o@UY^LtBa1sa=`;*XES4zbvMIjjUvD|B z9-*W}lm#*{Iw-_6FF2Jj&o3rR#gRWA6N{*EhFG0_6U?J)CWFOih{W$XAID3%_QXdb zOHT|mt&@?b)x_dJxIkj{mqGc;<0XHP`ND zaoUH_hlj+`6U~$+Te1~~jwB!4H{*=|&iW)VWYhtlq_{=Xe{*j^7L}F2BKGZscgKXx zw4Dg3nQUNu*y7)s)+xy8uams#v&37?Y7|8k=&}+cKbg~?$PUsSUmTE;6uWozeVHSi zcKRlk;a0o(C>qyYxL{~$KtPKcGT-+N-xMH~%X!Xa4srO`VyyG6o>}V-?OQ^_iKHt8 zWJ%j1DZ+izt+WRHiOm1!kyspi#Y84&ct(a4ypxLRm-CVNvc^GrqS_CBk>7yEjW z@$+U}f|D`iyDjAKA75Ag^O?>%@OF#;TwoIm3(pN@LeLaW^Wm83MOm98xr7#&xt$yJ zIzhd^?m|_eN@RZe4WiRdA`E2z&}Epmr;2V{u+=7Yt}jmCnMZ{x0%Jl9UF>2)6#jO8 z>*3w7a+_3(IPMiWLjaq6#kVE^9++2V^8H@BLH-ggg9O=?XK!=NOGB@${^N+ia@nC8 zv-5qA)9wtQg1mf$ zBJ8-W^}`{)S}F=k7AH24y+lHqMUn z`j^7FPd=GTiDlD>`=6qx3-OcxzxE|>ViM@Bhfy3w)^wX=gR-5|3)b16klq1v()a79|MXBXt~2D57i$y|MUL_+CkGE literal 0 HcmV?d00001 diff --git a/docs/images/thunderbird-tbsync.png b/docs/images/thunderbird-tbsync.png new file mode 100644 index 0000000000000000000000000000000000000000..0c8680360d92361f8e96891ae593ad8d1ba6fdb6 GIT binary patch literal 22902 zcmce;cUY5O);1cufQX8shGqo>0a3aX1r-G`3KBw*{30SHgir)&0SiSzK&45I4GUX3os_otg8#XWnz2KfHvPXFq$dz1F?%)qHyWnwhvL zP!s?Fh+nyU!3qG_fB^tDx^Leq_(ZZ#79{vUYFe4(h~C}} z4ls9TY~=yGo?h?zYS|vX2Fa3^$v{j>ydDPu(*N*AsslIt)rv=e9Ak1Js%aw>eQ%w&> zhAo7zCXWC^XQ*K#lN{TbVCrnHJa2Bqf=>cTKo<%-c7)He`97nJuwOb+lsZ~!v<~mH zdeAg=s5sP+PB!MujUb83^yu=i+2e#TfOqqDjMx$-d|{}O!s+E}gpLgTMEwW}hp#*~ zp3NUgj^^KA=?G`dNFaIn&;wyBu6)Xfs{G0mI&Vmo9bd;43(GRV^BT)h_jEbmqPy2N z)E_^JRqI~3xfmnCYnK7HrxKUZJE-&b`L6O;?PX<_(;XBgu*NJXUjbwbkUQQmX=2EC zo{@E$k55oIKQ>5QbhUl#G1}t;f}X}^@_)T%=If?nfK18P{ZPPG+yx zabDcdr{jE(BI9USB|3Z-6%M^64^Z0&^MB*0gqrB!bREMIr%6Vm=!(*LN`<1*vf2LA zSSK!(Yi#tnbaBH^tKH!J=3)u{SnDlIo}{!?`#G+xZ(#5Iy1<5 zNZE;$;dAfvvxjEaW`awqvfoFNb?TU2E7|B3_eG8tT@*7DI<#LxM+bM%30JcfK%afz z&=TF$mToH^eywks$ifGIIRhmggxEv488d6-!txFL*a6!ee2#orArMT8+6miI-!Bqse0P4d4gGmP3Kz;IRq^UajoA`J?-g$N z+Rzn9voZb<7GNM1LEaRZ%yw194@!1Zc)$7MeAA!mVT?RFK8QO~hvaoFB3H$rS(}ro zJlQ$}BnYx0@Z@&PwjC#$@kzTJmN3XyZG(O{Dem$Du9G9 zZLA>6{!k}Axr_B1QwQ~2;WpZSrNmI+j5yLtJLMUl{iRWdsCr9Bv)*N>BV;J#C8hjV zTiAd(1T_PX?%3z-L!651)4wsN2icKxJIfqW8Sdp3M)96E&HFiT&v_%?`hViL_}Ye265|Q83^&>)*Q} zfN6^$=~=@@op{SUMI{;PuM4loj6o)wBw_n9V8h=_FI8RAUe&gTM7s1_-`rkwJc85F zVx3e*)x;X%#AhlFI3jrAefu0`2mgW_IK{d2+twS1o zks?(c_(6Gdw@=3^{fQ&u{E0xLaNm^#ZZ_SKt@lJ3 zWI&2aM&9j5&S%|mM*5|Jz|&|d4`GNObcIYOs13S;y6D!^#;oMrj-o+*>QcY$Gy43@ z&BsS1UiQF$$buCsh=A;}745$Q2MX89&=RkDGrRFI;fp#tIR_rJxPnK@?-!wtbAp?5 zhcAg>jy<Dnp{=0Ot~Rfv+S2rN7zc)rr7CmR}qm(29TQxYc!FAAWIhH_gnRD$doHqpOs5 z)F`u}h?e0hNG5JW*DkSvyodYvz*AyHn%K$kzh3a?LB{iTT6h5h-HW!N36#i2?%o%5 z1%UVaqHT0>7Y~RDPrF@4|6#}xi;V@v*?jS{B28ap0!xAu$zSgdUy@K!kLnr~i=u=g z%i?vo`Bk&YR443xPl4s|ei#Q=Za>N7XmMftJa35^Vh6Qsc-8tvvH%$iF1)^k1@m81 zP-q-^Ng#?V@mE(!{JLX;jf7wKgPg!^s26z^oxHX=U}KPyTW8*utg@jKvXX-92w#!l z&*%xh*WpetyEp)n6o6q`mMV78;o_>iXGD2IdslbqUlkWfQREp;`^*mhPkBz21QyAD zgT4u${cF1lz%_uVh~dmD&xE33ZlAoL#*3)zzgf5FP^T3-eg=IoY|J*yf5kL>3eycV zIPhonzVN&L3ihWQkEmje7V|-*a0i|b=(^Va{a}Fi-H7BO1FYk9ZV7*|PPc|VQ>(5f z!Vmo+&tr`cI#7945=_p9pXs~7O?M!c=NHkTl#FO9KM1-fH7cCf0p-7f<}yvsh65`8 zEOY{U=X&KBlttowp8W(}!H2h@E{*YgT1)d(gsa@LgbWQ08H&~|FNY1!PJqJiu4Hzs zrbfxHjmW2^R)_OB9eh*2>y_by^46iB_8TO6N&rAV+Gf_uU=>@Z?>L36j>Rsw*z%+s zXV@ry%PbKc6h7CF;s2^TTf^tdKfAF{@Ur2hCA5;je9hMYU{zPW8yrwIFd&3(R=fx_V&bS`ag7+Ux%E z*?4rxh?o~{m8kINg|?Q7g(0I(wvg2fo#9ZicYwoKx%^YO*r2X^px@W_fy0dZDt>V( zK=25$S7KYG!O}DC`IBeUdTon~95z=({n><*qylsL$=#qhSn_bvNR-a@-3^mJ(i&d7 z^-kNzgf!qNyPcLLFb7_*YDlmXBa?xD%~dQ*oGQS5_6vScf8@_57!99$cO?KPiP;y^?^B);hwSXR+npjg*hxwn5Ak%)VO7-S9 zwsdqQa|uyHk0XjmniTw7nWmohL268)Cizg2U==4{_gkuFV&5kKJQ5 zi^%jqm)=~R4myj<3axR_$qn8FhVMZtRr2jOooLD*^tOjs4#@Uh_m*q3BvwqfYu2SS z8BtYyc%G4Q#$kv;y}1g9H$|Cd0XP@-wV7BB@!nD+yo5c3iJSY1x0(TM`g3y&oxY6` zXa>l9BjS+qihBle*%PZXq}L@s08y zle$yKVroIx@drD;fl76hX{WWD5bhfYL-VMi6 z_v_fzRMM8hGF5cm4j<}K)xq67h%TGqM1AbB)HAD8JMaJLnl!jSY+Q$80GCuz2c7i>)`RA|c8f%a<@&?TaFI-`?-#RXc23JzL z*XNeaJ9Vs~jkd`8Bf33aU++Cztcv4=U3~YdVRF|b==!aXEvS;)s@PJ75js>i*PR@124`cZF&RaBOvj1@J8O|0Z=n_%*5>f!VYe~t$FeBDYh{-{EcobolJ z{2s4gtnr)3(E^|5#YF#kY1h)Z43}$l8%oB^U#WM_<0y#tQ8sMIoHrPUG0CDk#GzdH zVMZU9d(#gD-acC=Kc>5idOftiznI`>zEbHl>>6t?Z^uxl3oSKup;-ay0L?L!&-UO7*?ArD9(fLB@9*S3CQdPXR z)baOpzi;g%w6hdMpm$HkVEVGoIqoBeE&c4%ti9Tw1brXqoskB6v2WM47|tyFb>cmC zBpz)vuTDKF1TV#rw>Zm`8yb}tb%VS*yA|kru01>phV<+Ow|8T=R3a+uelaGF?W8Lq zGG{&v=2=(kvHVUp`ddxg9<-1H&z~+Qa>Zk`*D{+MP1=(u`sL-p4lR{4Nq%1wxbIN8H0$>*;9xMyq7DTln=JgkKe2)H!3?RYiz7pJ6kKu&@ycHc1u? z|6~f;;BR!Z^wb}(a0JUib?-KcAV&sf!u)jxr>B<(UglUw+C0T?%q$Bzc}Rf%q=VoD z%oRy+{lQAby!c(Z{*YC!7I*Y2WT@2{C4I_(rNdF!M^#HoX)b0(jF($btulx2DlH%V zEbZ!q%={HC8EJDcI2nX+ z9Q6jpVTW$~<}F}H`gafhE3sbX{e>`o3KqHV^S z+S-34>vbUIsUyX-w2nN4e+OxR6Lr$0so7HthEp+kdf5;Lz%fMKJGfIYTVl9J21rJv|~3>AsO& zH`rQM3GKZKy1Nxd#!HZI9Ny*_6PQr2IcDK6*jPvcS3Odw3XvI*v5U)z<|ifEZfTF4 zI!wT)hcSF`$&%V$si0mTR>=rHRe5sIl!-~y z)3sw#WyVlQ&deG_=&sdspQhbVxVatwG~+AbdT;Q?bf^7EG}V#46|~aG^9aXSU*lxN zXxF=A$c9pd_MYAcq{DT5g)i#J`C5a>o;eu7d^lEO*Ug>(o9%w#45Ys<*!I)?=>Ibh zLT7Y@u2?pn(a~u z4$HT`ofpWmM;#e3fouTuM|NOuD~*keP{%{Y`$p`TA}z>whCT#AkPl#v%0oVvvtOPQ zMN%sj6`9Q{o6`ar-;LcXXJe4;Hqfn!fd?agh0j=0BdoO^*V`Kexh)Eu2d@uaxyn~V zM=nJdHK84{GRL`A)Hh(ZuF4A9641x z)w}P{7jVb1#Q@f)!y6Su_Q-qob;V2l&QtszB-cHBLdRIoW;mr939&(A`*#T_e(g(qx>0%XQlCa?Oh>%Q zZ-e=%l3=Bwv)Izbe!-L8wVn8w!=u9iUA)(a4T35u$#v}vQH=SiRs6{WZoI~!Rd~IY zAyliDYe@unyBFhQ&}MOMS5arx1j@9~wGaHx9lFXJ9f+HUzbmNQe6R2bcG@dC>nwd5 zm#u&WIF=v5%3!EXyd$gZ92fvA;A-ut}`iUtplGpcgYSou^%kekJ2&1mw1 znS3*m76x3p6|aL$l?f01cnk}`3LW|W&khf|if8Y=R1^DD#Cm^Z)5X5L{f&8A*q4e% z`GITJO|J`V4YvV42sJ%V8Fb^~0W2!TX8IlQ^q0go)&8 z;m{wWP`s^l9CrArH)})pUT`vCfi(+xvw3{97wAau_~+ zwnKm=_5i(Q5zIwhQqLS9@S{+Cu>{3Kitq)VpVHWT_Qb^1sXXALF!_QJ{AuE7KBEHf zJNZczu;I^Af2ac!fnO-7n_!+fXwp?&GZOv$GWzpqaop@>rSrNoW_D!`mdi@KDoXW>bB?c=`P`{ehj0VV;w0(<;tQ zn164=NU`xThAcu<#ib_S`&z`l*?YoA`~{I)yB2e{j-=yah`lzp0Mm+^4pcoyo_>I{LLd{nYdAQPNqvid1!1cV_ zLYRCr>&BofD`mKa$2GcrU14A^>0T2ByhK>-q3s3VKl~T@P(MUb#x(wfMD6jKF8^fj zo9#Dhw|2S4CKfqGw^WW(j!~(hLv&|cw^(3Zr z;N;EzTlQvl9*pX!x%sG{NvitUj z_lpvg_k+}mtMQ<|o`go!wR}f7Kuj1neA3YDPCG#9jD} zRck%YP=Y08;-tW$b#Vq>J20W&%*dxVKi7^r!cnHnH@J)7Pit;)6Ye&@CGlzJRq}%q zrIE=!ocTi@J26qH{Nku=9p7-yDxG!UOdZFF|eB*oiP2Y7={Zd z8elH;n-QHdlB>v(j5teVJNakY66HWVK_N4~Kx$VSXX5BVQ=-Ii$MOEB8dCHd(iX(J zS-&;Sqyp<8d*4p`FVJ%wo~9iH5vdPoXo)#l^?r-VT7Rbuw?lDlN#PN5Voj4|t zGsHa1o3U!_*Ipd2BC00`82Q+(Qg6BtK6I-+TfG1qBOOUdOMvYm9r4JaR9}E>KnTTB z(z~PeQq|Xt4}3lN>;!aEq1Ie+(6zQ&o_$qlfe4!t%#+vcp3MS=6Ki(FTo=p&VNwyUyzA^nN;}~{C%)yq0{2O0VHcbIORW6 zpf@%EDDlG7$nm;(r&o1BsRGwE;%MBHLf!ud^=dUyiZ@rcgiW&(+xLOt3_YWDo9w zqM**Ok-q(;PzFZ~Y_!5&{)7kGx zBg>d)C%n$oX-%p^3yiNoxBbQJet1y`;rVg*Bi*K3wdW9@e>LCn9PUdr-(IfSosM=( z`l&nBg_;0?mk*fvK_Xw9Zwwzy!EclsKCwv{bQzsJjg3((vUg79luhUtz{tf;^8*hG zXl~*vF5v*RO|YCmeHi(By&`d>S}`rsF>j{X!|)lnaq^WT~Xi1D!reF#ir8%`ABH3_P@Ubw2>0=pX;uSExQudqXqQ;ntfdrnfytmnBpb z4R*Jn2vIiky2@|fBhU^gi#_#yv+`SX0!v|I*ieOEz?s2U84b$X@UepOx6PDckJiDV z=`Q~yrpc4{NQq&jOqb+f(-N&1wPzs@+sF8` z7AN0m8Md7)_0KcD=bfuTy)Wa7PG-_N=Jk(060P{(@_lO;jKn>Elx=&E_vn8d(f+pr zVjVPhN|3KS2iZ`+DCGKoPe|g-RurfU4&fVqE(j$E113# znsf!S0WV|$6h}d+1vR{*dLXCp(}C-*Vk!+14}>;RSP6n;4Z@7KlD#Twt(`0ceA82? z;aaJZ;KQd{6qUsVrMIm@CSxtG!cRJCd`1}^7*oDs#w+@k;|xA^K)c4~cLHTCWps~P z*FY3O;~GPa@oXu2b@5*27z2>4E%b|*#4z9MyPAw6ABC=cZ&cRgxYVwY_DF+}yjN|Y zKnp;#V$rE-&Dp^NiHft_z4g?&)Oj}ZcgC^F$VGNT}r___(5h0~H?m~4aSxpj{TV>Takkb88+A)pFxZ{+ZC%6aE20lg=w4sVo6&4KMp$l!ju zv^)C?ubXpF}DT1g+ zNx`-}_-BPPyJF;jrN0W0E%!%2|7RBZUjU}?aQ`xi{WVsdxE=6Yz;7~|wgP?&YP$b% z_WR$x7xsHPpm%6+2m3J#_`vM(pMzxUPDN)Fr43JcMW1E*k4y*9DMLeQ^tJa_3CdH^ zrjB&He0U1s81?~1$Ui|(w$=<^muNI9TrO?&&>0*)fxD;*8#ApNN!0j`n16yUG{=*dSUVDs*F?yB{Daz_}rBhUsLF@vYt97PwZ#KJR_&*i*S7x_q_! zkOzcR$JHW&Q5HXDObbgw+i6$P(QPm9$~6@8*6svhP9I3PA@=IP5eB-ZFnADR%(bv#Y*V zc!82vHh~+I+{;=R$y?Pj0t)mL8HFgP+^@@a17>cczM&egSpLb^Pkb9m-Obk5$10OL zOg|W)f4%~4bQ9hy=ngDVXP~qw1xAqDQ`CITlGu5*vC3|{GN))T?5?#WC41$q!Bvz} zQd^k6e4_a&3qdKe>|1MmTDOf`!QltA^-Xx30ioZgT*}Z{SV=mq*7Y%g5WhXR=(u)lRZ zIXz6b3A{^I792LTSf8)&3@M0u{=LizYzkPuBupl|iR-GV@H0N1#tvK*1Si36gcb|B3B)4V|(Fl~W5^S;K_ zNu64)dZ$^lmw*znge7-la8iqSd+N@5u278Vz4E6ty#UL?lxVnljAGW&9FVF$;w*sj z@Q;Or#SIQPuMPx`6f`WBGXbxKp(I!N1p55klKcbf|D-zg@9gtm;=(^*g**9y+7#=Y zPi??{MEPlYuUEoE7BO0vzS#Cl=f|08c9h}b!_9wDe&xlB>}e2H5=K;#MlvjQr5%>P z_fqi#ma?Fa$FZS}s3&vAPY!?;*S0*yZ(OJL7gS|{CbX0BdTOwXkPWWuci!FbX&V5x zsJjbXU%9>-1_UmKk%88IN~y1(AQi9Kr@Na%3W(wd__xBmtf$nWieiKy&U|p|(wi5Q za`FlEiG76a1Yi1dxp&7a1{yyesM})>%kr(nRrdyjfB5z^ZY_#36r}2Zc-DJD2m~Uk zGPg^vNMCk^tX?_}%&r1`K{YC?%{za8^mztaC{0rD5g(Y2x>bhi`%FSCw`jc2_fb5* z$JC&Yzh|oW(&0lbKQ9v^$a{B85F2=1!5DfP`GfXw%Gxy;K^k5o`?=obZ%G5cD|amQ ze~V*^ckes=?ne{t30II&PtMIo)amoc=ag*9Pc+G7@SA$?S??PAthZ9-@y50~?DkN9 znU7~{rW*!XDeJwuzG3PUR&K7=%XYk#Nxs{o^iYGCca1H$Jmy)$@_yY$R99d>Gl4e!c&-Nmp<;jNE$+P6K@b7G#4| zA7s{e5&TQeT`!1!F^>m<4>pJ<>=K&e4YBAI2Ue$ninzwsNJl65Qjp}$tTWhjU^t2s z*_K%{?vhS2Dm)V@6JI72b744!6hM#U(k}dEh%YvR#WwOeUnS76qvwG zqW^qGKg|1x)8;iA$%b^TelE&6zbCz_Y|0TvaKzlJA*S>dvuZ{I6VpGt^!3_LT0llL zghWcQr{T>?TabsBWcjT=C3qV#zY?vCz4LsW9ZNsnj1ZirW2jFzwXd^R(Pbs`EcVf; zOghdwZ0Gc1ORx4nmiap$Q(Q&X!AqGNe&!2r`R^b97pC?1y77N#ng8eGb^7YHE`ihj zIO**0^FiW(YeLeH9XPT&;_v)U-GKjy$g3nb%~#Q*_mAqU8yNFAgAP%txrppgNUdhg zSmpIRCa~s|0h%mXFC=Zj4bhE$jSfyPTb)f4AO3YwXv9vzt$q?`c-x91$US=Os$Jl7 z!jxa|TdAGmZ+xUkGO2h`*y5m{vuuyY{+R>vq+n3*J;_aEdJGtWAPC&L>pQjfwN+P2 z$g%K;+bIEKi%P~#e#oFVz=kljC;kNPhP-u-;Wn}>0}Q;H1sltVc6%~uv~O7)Q}Hd~ zyx7a$Q>p&6l`mDW0eTd@nAsTAtYGYQ)~IbS>3J^TG7#Z8nS4ndzBj!{%IIay)?~&n z((Xz7Y|;mU8hPF}{_OObA!zV7eBFY5DqWg1;*r>mmw^WDte;r-r*m6D>ws|DJLdTh zH=569UV;S17wc5Uom`nm=-m7R2#p@jo>dDqE!VHW!Ng&3DtUgHQOJLJLzHfScJP-s zM{o@EeB(Emtz!%;!zk+FLGvtFj^>Vnr&7w6mz9ApJHL}PJT)6920dsyS_#1JJ8ilz zC#MpVpM+?MB*iaionxxI&b7aXDQ>{(%_+&@j=4~uA!H7LON1{41 zYzy3t-r{4eJA=}D~{j*T_ z+G@13=aw7#WlQ)NhQhq0uKFL+`$yg8bbjXqDU1Jjdj4=KB^~wSm==8pCbtPH9}X*N zw)Gg_>%7zXtR3WwOMkevjZ<`4)n4s(=++qE1)umfQo${Dzsx|oMZL&62$H>@h+o%y z_5Dy1pbPl4b1DP)?PO z>f}c6RO$Q0;#yidJ|F05LT6W(_^6fSXn$M;1R%&>I>? zV6rl5yyA^W3;t#;{+q4|$-+(pwZln0o21u8v!?Nq>SXISuyOgVk=~{A4K2Nz+JJM$|KmX9 zAB5xYuonLlUw6=JY1<;9)$hQPpujX8kmd?%l{Dm655RP?mwB&iQYx#5#C3GoBd=?s z*uvzJ;!d{DqXf&d%k`Fn)WG#do15|CnD2Z0%N9uoCXsj75X?&w_xri&E#A zpoH~U?$$VO0=czAs9FtFNYEy+xRF6v(fExBGMJVS*Hi!pg1dZ@*JPLI;+XkcPv z;>R;Ee~tAZqCd{RMS6OBsyw(FR_=hz9+7EUjNgv2f|rE#=3axuZO35NJ0rTiPKGD$ z0;lJn7%bF|{_eP3&TPAT%b{e6es8?0;4t=51leZYL4na&`{Af6X)luEj=qJ|sC{K= z)RLL)QEw*-qCA4nbR6Cb&4@=Q)b79ps`c@F{j4GG#~6&0q%;?CqNjmsn?AOyvsbE5 zt22J2<8b#d#nZ|5nL5TF?})4H;ptaVepQ}WR2q*7;EnYSGVy#yh0k6yq|ooE|4 zGkLy+VHm%7{af0h+Ph=K9-O$sIsgPXe~~^9-{De%jj%DAAftLz+m5I)#8vKdZil$k z1`S#_4iay;JYPZGIe&)PipKPKHWj%MRN+b_D@@&W%neKImEw+kk(OKoRcTfFZboue zh|kd5>v==?M7Dn^&2sVbQX;y}Dq${^bt$tG=krS4eP~)M+M&?Yl{vqf*x}+|)30S! zR^TLkY+drYL6YVr`8utErca*Ad1bQhlBKH)-GT{QUk`qJv-)2AigX^dgOAlIO7{-) z8S*&u)S2vL`-`3-(|Fb&66ptCPMuNAHZ3ajtr@MlxTf`ja_E**kLuZQelVl*QkdXn zMsqStBp-T4+As08Mr2eqmSljo5;1=;)+CQsq%O^{N z#2(vkx{2)csU6PHGE87`5@{+liympH!%1f)xc?~L92;<9v!70oXz(fRPx5c; zFy;*U4ZUQ%Y-Zd#o4~44Dl0U-&%781E^8x!&qDnT#~fd*Ye$l_%GGgB)YptJzg|Qq zBLfLh`6}(E@v2CLmX(Gj^R~}Mt@h+ebtTeAd&CF(Mo$dNXXwacIyU~k3ih);jm3mR z+O4k?@QeHcRj^fX^>&2Iz&%fQgn6r8_w@ev>jcxE6)mlhRS#o12%0ia8j6<$%#X1% zd&Fq{9s#i|gOsiB5*((gJ73SE3S~{bQtgpnpV}K57Qo8L!wC+ROKVypq#ulIbnDtG zh~iyfLb8Qe+UhbikZI7Mr^2^P?)PNTKKGBeoz}Z#0f~!YfJ=(&La%iL z-}|b)*;xQ1>?!<0Ebj=%On6XKl}IANz%%%!v@=~-nCd^nB%DDG1g)eLuui4CHd0+9O=>J5mO6H2%%tw?D^+ieQ4$ z29{ge9L`FVBYvDro@*1=_Z|4fKAG^N^H~lSoXDxV zBwh=%g#X$H{I?q;|HH?JOuBSFIu((;d31hM?=Vs)?7au|J?9CbgR1BoXSN;{a3+H- z=k^WAs^!^%plQQ%TC^5Q8cqe-TQ*;Qz+tFsJLXgr``ehMSrplQX7?C_@y>Y?1W8`k zaCvY`oVFI}C^GjQ@^d0TMSn|!+dB>RIJ4)B1jaAEARe#(!a@`yc?;C=@oxa$&=RXt zzgwKu+2Bz=08D_)Y<~D%65QjQu?wu|%hC(k(J(o#sSdVYor^#3 z%>Y*TLk=b&Odwg?VT<*YUSVR@u;}2WKoiQ{FCkMGD!Q-V*=828J!RQ+xU z_8lmmNMV$2`R>bO(S5JFl%T_|RJ0~!C0L4KCaP|Fj3o);D|j%vbTcdjGPe8|*GM&0 z2TCi@J45kI^Bb7|1zTq=8L*te&2yI=f#)2}u3knIM?Y0d`67~a)r#4K!#YfXj(g=+ zB)n~2ofl!xv9Efayze!k(NNi}k)q?tybC%Qk0@7JVlL}IDf#YqoV_Y~){4CcQxtwR zWj-sY=y5>}Rm9lmH@>`@34FAVmhI1-j{Qn3ykLG zEj#L!#lr_ryWVaatT{QoD7Fs3D^Cg9FjmHEU+X(d?^VkrZ_|| zMc>Qvt@SrA$?DLWa;?rz$1{Jxa=NQ4%B-_?j_8+W;k3Q&3tr$!2Ms=YffQ(IY#>ZUgt3h(s$k{37mgd&PbPYaM|?JLi>N*mVZ&u4t+ zXKH@HqwL>>qE|cYk9PLPS;9qG=^rfLP1xhKnv2!a-DP}hS&lTH(V~G2$1om2Bbh#e zgZV+e6rEsDlKkEW6xdHz1jv>_J4i2igFbQ6Y*WK-HDMvmuxKBcx5#N4%)T@E3t9Ps z%%ymZN{z)CC8%m2tfbalNwMr|Uas_g79<@v)LYuW$|P;w8=sHu3M|OuCgGClwjaJ3 za|a)}*I?LLd;NFBl@BfvVPoxwGm(hF%G<_dIQcrM4R2q4Z4AOfXW)EjneI+AkJjTT zIBXwsVL`#Y(kDsUM`f?#X&gdk6%q>g`1CL6$ ziL+My@TH23ke=SM54PxCsETd))vY+RU>|H9CmB{Z_`vQ2dRwspO{n zy>K1$`x#t7SP&p$@eZniSLXGd#Sy6DfGB2_?m6Us5>5#=^6Gp|C{nt8`Ky1f&o?$a z>*$u+hpBYUwzhk>>azFf!$N!z^G(tnR|de!OV+huRXPR@H?P}fTHED9C?Yu0iiy{> zU0Lad8`q(6$HRuExLky-cICoW@9|5TDwH&Z>cqj<){?u*q`_mCmf0Vlsh?fG_suIK z6g{TlK}Q!$JM;l)Wp;iU%ZjN;N5&x;S35Ili;HF9p_ntDaRgSk>QC1aru6`9`Z=uq-7I-tMMV?fuWO#o94`TV7LWq|f)Lh}=}wfrS1jBL*f%5}nKkYE!LOe62lJisWNRu|Hx9}P2Bk7YD-pU%#* zcMCe6ZrAn=c~@IdRF)1VOq8LQEBQ;l)jy^KDt7|BmDlf36&rf!>YLr0T*@ubw?j|4 zY}hTRfE21XP6&!7%W0dzgGS=cR^SD=l+2QzO_frZ8XF#%x(wST5nfFGRGKg zAm8}|qlw8&Qu2ZtAV7Gyx$7{SKIrS{ob@vc)p4Y0!Qq75N#sN*=HWdmX=Sk z04?ECG0uYWnw*sIVV_*Q)pA;NOR1MHcGuPZ(}HdUxVvuCp(GlMZnyO{Fa_{jnAuir zU()_-$78!CN@Pi>Av51o6`Nul3;k2-%M`A}#g5~xoHji$6PD+QcY{szqNv*hU1p*} zr_~W7I9jC83%d%E$`vO6V`cmILm&T++xX96ewL`;#G;ZprZ1o{s(yRF_5_8V3dPMd z(PY?68DY&!eXg~sY0gV>irc;c7TU6gS3VHwIVx7&eHmSBX+v6mYX3wbVIg z9YN5=?3kjHW&2jjtEdteSaxIhOiv>eVWbqgUxNADlWTCRMoUk1nCg`T&YS zl5uT)wPVLJZh8i|(_#i%n)Xl};;S`JRwA}nl)mW!`mm1KzymPKF!IfJ?gInfa`wF! zzUY17f=CE`)JZN7gTJJ`k>*G8!D^GBHQfN+C4255=;T3!y&Ge4Qfk zK>9C_tiP4OT$gvK6r9*^iQgmRK3^~eI*9K17Mp9YH{QAZ-TQoZabj3@enobk%zdl; z`@z>1efEwdUdFuuE86)n7p-&)WstkeoQ#a`@m{?h4}+5Rjxiv8;ouJ6vwv%*DQU;s zr@QohzH4_KtMk6}d@5Td<6dvO*3}d6Yyy4{t4U8*g}NMk?rN@&oQZWo#JQkvmoaIM z9d*QgC+$qt3la9TQl80RA^36s;>o6ysfuh1T%|pgv$m??PB}AVwwU=qQkW-H2Lmr1 zLEIbbFzIx=y-Air&WXbqVzq%*rrRkE9@SF7O2o=?S(ED1yV%IoJ-hN*6Q)})hY?+5 zX%&grmEcy=u?8t@y(!~cI(p;%T7p?z{!~+LMw6|R_1{inHGJnL(Jm>jVAw6ie*lO; zgu9fS%)sWd%3fU8E@MHM#fZGTL~J3m?WR$4VYmL9%=y8Ea>j>_$G+9M_>Y@!_^t9C|@5;CUB-gMZj*k-PL&OT9HIwK&vAPGU6TbzAj zjC<8|-_5Ju{v7GMH8101O}q!>i{Ep)e<GdrWJ~we|ke??8-X z#0Xke5nGvzvsl`98asD#9L?L%;3H*eqQh=`ltccN>F2blm5&+ zttszmmRLrvhE00-SpT^H4&&4fFDSSZ*j&VyU~AQvezpzXa!9GkKjp>gRQPYoVXU_> zn{scc`*Kdd^*OgoY*V5o0_8$Azn-a&eUvki%PLACdDv354URv%K+8^TTbLJNkUi2d z5y|onl@bN<6BUE-v7l9d?M4qx?pw)9)CY=}pz6pRP`7SB3%!4gz5^ENC(IO3p>DTb zDt;z;eDYolRa)ejY|NAw+RsaVO1}U-Ux!W4YwiWP*KZN(1XUj9?*)1Tt1f4<^!5%b zd!iVUc%e_MGj5o4480sjKuA6`WV`Gi<8?QEf}Hx{-A((`31hg zdU>h54iz}20@VxsZ7OdCt&{j$J{deL@WmzWrCJd-XN7AuN)LOdtdGPgf*Ux)esv~Vr_S=g)4Ps{cAt!2^XbW4UGml`l4_ZC`zIu0d4D_1 z&KCK51kxJ3s@K8JAPq{5F5+8AIo&~>!Nk7GG5Y(2O%+CYJB2-C!MD#~M;#ur8;ehB zw;#V(TrQ@IW6SePGSG4dIm4=5>{`Q;q8LyLDI?mX z7wn)T4GsAAbeKc&$Wduj#zj7dCQQ%YYGOb;7-9y8Ba%m(BWwskxf}2YPn%7X_>LjP z&Fwivui$Is#ZqpwpU2GzvN<51PW2;RtN@$ruJ9GKj`=Xrc5NWpFmBN*_*>i$onJ21 zZ(%yqipcsg>zLPCNdF;0p4%u{W3wvTArBqm0P#m7<#LPL&7R2yK3mxoyU$h{%=7;N zutkd=JGkBMr(PVpS$fvvFSj;_TRJG|LahjUO6$Id&I@;vMcD;)I~}9_HYW=e7KDwo z3Dr+Wr__|D6{bH@lQ6&`j4y6-I*61Lg*mtkP30pATN|1iJeY&?MfcD%<_EO+Z#NiR z#X;_AGU;oiFN`f}=*y!x6S32i9# zCg$?}mw4c6m8<`aaJ}D#)G?Wz?1fMk@NQXpaq%sn{=*(ONojVz zRxjSs%hryRWfu0V1^P9z$lScd*ao7fk@-u50Mu`ztE3>aBpwKf@nu^wkM@86@!w6U{yW0*Zw&9h;^y+IVI>IWfaiv*f=25a+kkQl zsP2A#-1lT;o!1d!QUC3lWmj7V0ZSK*rrNB=u=O(46tE3X8r)UrMICr z*b{Z_#z2^m`rbsD>{Bzq%6aU$f7TD;A0lWn&{#I>f#qzwl8hajzNRo-%{ox(tDutZLsnwu8kI{= z-YrQW4T;7vgZ97oSI1#On1nu=Wo73<8NOy6xaSAm#7LXFm`M)jL70FhPqZhvW3QYb=~RuAFfYuJk!*tw>!Wk?`ZGyBefPoII2z(XAsA@w_{ zKZB`0+fv6xHJG~}pv^6_IB?oiXOPD}M(RulqD~q|El#k17yRmy^%MFJgJm;6rLSX? zm1hU&l|xf1e#%|?Go^n)#9|BjJrlyuVq;dNaj{qjU1Pnb=rmK|t=P?oXW*cHPIVis z!eo8?A`wYZ`J#zr>gzKu1A<1=wp%wuo`qJka(x%@zr|F_sag}nP9H5zIe!D#pogiO z+o{Q5f{VnP(>gsXRUctFiZ(Th>c|)oF#nC%3oNQ5+y%%LkMo3;uhNZO~ zs334bvn|l7BLDrE!VhFR5XBmIc9*6ueYVZ$R+9Ha)Q)al@b~oWb!fX4WN7H*c>vD- z-c+LBguP1+y4h0(KI%u-pyWHx=q?9k7eZtc>Uz9t7mVDq?)Mw!Qt!hu34Sf4lQ{zm zQ8vtq)v(h3>~&ZCBj`tobQg68t)nXEN2K&^M+F5$SmFwr@YjtKw0LI~Ak84#QHFZA zD?J_6mJ^)}ks>)dA`u1{Qrl#muh9g=qwV+M1s#LMHE;(igdf(9)AF_H#SLDQrId2s z!;<^u_yLgP%cz?DU2Kb2%U$8j^}3QclQr%t21 zsILfjpTiMAcw4RaTYUQJVu_Cj%}&-C%qRGd!Fjzw&Y`*(f2$9a^5E$KadJmTR8Vs3 zOjb`&D$>@W#}}kKK%WTb1HnL(uy5q~G+^gp_|^S~+S__G^4H(% zU){%GF(?9s3c_|UPc8XHC(A>9rG(Ljya>f@wYg0@VIjqRJ2bSjI%CK?B(G+x z!IAsr)gyNWgGwiGBXftbZ=qZ=RCbsl;m@B9U-m%%#+n)G|@j zYDPU);*<+1DlL;@BH)6G3zm+O7&5tlE0(B?67FcY;7j!W^`7&c@0|CX@4x4d=YH<{ zx$paV?%(hFUDvfPvy6yDL+Oh4?Xm)Q*hdOmaQ`jMWx)Zt_?ACC<E-D=*Jb zu7^COl~D%DDreMf{sIPF?^shyN`*{%Pf(1A+A^Oe%J>U67Z@MYT05y4Tcpn@YElQi z8hYJrl<>}hMFU-i(=nP)%9?}m2K=JGS3)!uU0I}ls-IQg& zR;pRE|4mw1<-9Z>IV2^T(Ln^QRJzCE$#g=)JBlOL69)Q&+L`o-L}~mrk`MBLNf0_# zH+nW~ilZ(4clJ@%`@zybd4F5IKNP6DSiADUX3!2_eHOS)pNBj|N>`!EZL@E`l%m_} zQ%U+n4*7#g+iZX9k)qB}7VF%vy3p1y$6Vr85Mu$Fiww;^NdAUbg*F_BY6tXBIMHK> zqsC&ze8sWRyAvZ0eMxhP`#X&st9YZ$?y$5f?cmrB8wM=TyD5>1==!9$fy#oF_#+S1D^0V#PI2w(Ke#%7qt8t8BxTaeO9#;wDaozA?XS|3;JrNEThGOh$&$j5F@!WS)!QP4GWyFbYXZsf zglOg@(H(M2^LQbP39+Dh^T__0_~E4WAeW{wQgbFhCTF=|)eK4J1rHQv*0D~c-`Yyx zb+Lf?T72I^2mzU>R~n|z_0#?1`pKA7@uF3~@TnQ80$P(;1Ht;T9Y)A@Wx1gddYg&i zs_J|Y!FDNgJUdn`XVcj@5Fij(qLSAQ49Cvu&6`I<9_iz-tYy?|QKCiL7vJf(8o|;% z+Q5xLMmka`0*8Nmd!h$A=xfIHY6|{IUQ- zbR#6!feo%_m#~NF$5UEFsIALSGX`jfHp+x9YjG~Vs^r4$>DBmz#g2mylWFXlQ2`wP zZ6Bbv;itUmD^2BFOEfp4eKL4xt=iwNh6xYeuuE8*^&-)C`SmL5C zoXh9>K|3dDL=HjjbtxM?>;#VydYLOBWTK7eFSGh|4097U`SPn#M>Wf}mlhY$uL%2J?WX63|i zcyntyh#K265QkwX@yAFRPWdPpDn_p=IhHp(8eYh@U|=@m8Se{(?l2#(pK8M_o*B-0 zya%Ppx-&Cc={?aFDN!BmmxU!)A{svxQO}a?$>BIiTAqu&D9o}>o!MCzuhzYk*as*E z5v!wog*bSzh9ve?n0MT3dtz7&23d42N+pLH+)p|qI&3;AFpQi>bYuLQ?5;%B_k@?~ z@s;$6u|VWz>aWO;_nDwf+7|N#5)xe+J^?kn2?@SqUeOB%93ETwMsV!PBKRL>i!1sO3j+F41b0?9 zFtPxl)zM-%hRs-#-r7v5&*q*yIJ%feTaigk3tnym2VbhA$G9wfq_^ADyBAiYEcki& zxXOd6DwEGExcbVfM-y2&B&WHgb=qROU(|7%U!LF`q7jx(vK)vlHiXg->;Bc?74F=T z@_-NK9?`4dsBBg1w=?x#63PxR`)Gd(F@kDvwx3gJV{?3uXV$XAtE_8q!|b>_O<=N^ zX|jm^Y`+DGRwd?+iAW=lCCTZX(u|w1HngxwLr7un3=O&7R$hi z?nkn#(^2GIZk_n@c62i=G)IL+Y)+Z2Iwpl1Y}_$r`D2`9kU?|L(jYT-swiptav-3R z7rJFC$cN#tMcx*ZX))7OW>5Jc-)F#MobyfpgA>GE@ShLy7YepCWy7o7-m^LiclD_L zhf#=hp0fSeTNFX(oLUajNqg6+F$HmlnM`hni}I;=pM-qK)`)(x8Kv~`s1NTd=&UGn zY6lV2ReYYHx0Wcc2&AasaJ&8~OFr$I@KAVb+4lW*hMM_9gii3gWi?MZXO5>o`e#|o z;ynm_nsC#HWtVc^b|PHxNggr&mznT?$@(QfK%}zn44FS5OYJ0uiu8XDG#r;FLAu*5 zu1#YdXtP;|+SD_sO||Ffv34n8f4QD7LZ&^$%GIbO({X<=MKTVqfCcYf_}$#>dhDyKJmIm4cN#QRuEJk=#vh;kn66kn5!q<@+* zzhV^mZp!zu0Bl38Z=0ZZNb_$7(4|c$!fe8>O?8=&5S90iCv)r{|K#g5H=DqW!;``B z=37c9D%#P_pB=S=VdZ-k{*psu=bqCnvS=#5cWEB2&Kw_`JEQR^>nO_f2P|u&@VGYvN`o{LLnfTW))>#a;fa= zlc*G?5PG;ZzNq=ER6rH(`cW>515@q&ZQmTA-n~LhJJYx=-+O7gngUhlcToe{`cqg(CX;?!uyFraV>53*|OS6?y9$ zVkmiR)k^mbM82%}j`}J){O|7juX|fbB3%u<(E3HG7*!wT$2YF*1vt>dM{aF{f?iql zH7si0zBucH`S1gS24+BtvxGCXcL0qryvOO*(ofJ<7)Mf1|I`CBiJBVU@pOokyB>}ZDyBPes?lwY0 z`YtVs{Hw$my~`NrlzIDoGd_S}on!jLM*>a7N-D0$zP_>}37eE;m8yKSd5STDe)COg z8`F`?W+!Z@H~fE)O#d%1tnth3#UbvwTm(Bs7S^}V70GNJG~~eg!P0rxVPNl+&4sxQ z)f%Z^gxQA7EaRj+8(MK!$r=+KmG%b>M!Ip_RLv9;+~qmb6ZI#RMn>C{w>P;jG-PE_ zC;3AEeA0FR|JqQJ`03i3Hg8O1DS2cz#2xk}a(Rm8br(@#jW87e+#y+i z>)%?*>Q|!5mZLxF%1SoG)`5TOv0(R@k%>&}q^3(CONB%7AEdKTc30G!s{vEXmHCvV zpL~-ZT8>|{7_3c>c&?~W{H^4-Swkp1S#%xa7TH;P|pCow3of_T6<)Yuzr5^n8<|9&dyxy*!C+uS*~+FEHOY)79CG$T3D>-Hgq zzvY4l(!NC=)~|+*Mv%TG-whs=sm*?WX Date: Mon, 5 Oct 2020 11:33:22 +0200 Subject: [PATCH 013/220] Add screenshots and better explanation --- docs/client/client-thunderbird.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/docs/client/client-thunderbird.md b/docs/client/client-thunderbird.md index ffd8f22e1..5578bc675 100644 --- a/docs/client/client-thunderbird.md +++ b/docs/client/client-thunderbird.md @@ -61,4 +61,20 @@ Instead of using SOGo Connector you can use a combination of - https://addons.thunderbird.net/de/thunderbird/addon/tbsync/ and - https://addons.thunderbird.net/de/thunderbird/addon/dav-4-tbsync/ -To add Cal-/CardDAV accounts you go to `Tools` and look near the account settings - there should be a new entry about TbSync there. You can add new accounts via the CalDAV & CardDAV provider there. +1. To add Cal-/CardDAV accounts you go to `Tools` and look near the account settings - there should be a new entry about TbSync there: + +![TbSync](../images/thunderbird-tbsync.png) + +2. You can add new accounts via the CalDAV & CardDAV provider there: + +![TbSync - CalDAV & CardDAV Provider](../images/thunderbird-tbsync-caldav.png) + +3. Choose "Automatic Configuration" next. Use your mail address for Account name and User name and choose your mail password for the Password. The server URL is your MAILCOW_HOSTNAME (specifying any protocol is not necessary, just enter the full domain). + +4. Now tick the checkbox for "Enable and synchronize this account" in the Synchronization status tab: + +![TbSync - Enable](../images/thunderbird-tbsync-enable.png) + +5. Several available resources should appear in the same window area now. Tick all checkboxes of the resources (address books and calendars) that you want to sync. Choose a periodic synchronization (in minutes) in the same window area before clicking on "Synchronize now". If you leave the periodic sync at 0 it will only sync manually so choose at least 30 minutes for periodic synchronization. + +If you want to manually synchronize you can find this option under "Account actions" - the dropdown-menu where you added the Cal-/CardDAV account (step 2). From e773f4f25d9aeee06c415ebccf8f80def2886931 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 6 Oct 2020 20:47:54 +0200 Subject: [PATCH 014/220] Update client-thunderbird.md --- docs/client/client-thunderbird.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/client/client-thunderbird.md b/docs/client/client-thunderbird.md index 5578bc675..c863d4e5f 100644 --- a/docs/client/client-thunderbird.md +++ b/docs/client/client-thunderbird.md @@ -58,23 +58,24 @@ Automatic configuration of calendars and address books (from step 9 onward) in T ## Different method of connecting Cal-/CardDAV in Thunderbird with automatic detection of address books and calendars Instead of using SOGo Connector you can use a combination of + - https://addons.thunderbird.net/de/thunderbird/addon/tbsync/ and - https://addons.thunderbird.net/de/thunderbird/addon/dav-4-tbsync/ -1. To add Cal-/CardDAV accounts you go to `Tools` and look near the account settings - there should be a new entry about TbSync there: +1. To add your Cal-/CardDAV accounts go to `Tools` and find TbSync ![TbSync](../images/thunderbird-tbsync.png) -2. You can add new accounts via the CalDAV & CardDAV provider there: +2. You can add new accounts via the CalDAV & CardDAV provider: ![TbSync - CalDAV & CardDAV Provider](../images/thunderbird-tbsync-caldav.png) -3. Choose "Automatic Configuration" next. Use your mail address for Account name and User name and choose your mail password for the Password. The server URL is your MAILCOW_HOSTNAME (specifying any protocol is not necessary, just enter the full domain). +3. Choose "Automatic Configuration". Use your mail address as account and username. Use your mail password as DAV password. The server URL is your MAILCOW_HOSTNAME (specifying any protocol is not necessary, just enter the full domain). -4. Now tick the checkbox for "Enable and synchronize this account" in the Synchronization status tab: +4. Now tick the checkbox for "Enable and synchronize this account" in the synchronization status tab: ![TbSync - Enable](../images/thunderbird-tbsync-enable.png) -5. Several available resources should appear in the same window area now. Tick all checkboxes of the resources (address books and calendars) that you want to sync. Choose a periodic synchronization (in minutes) in the same window area before clicking on "Synchronize now". If you leave the periodic sync at 0 it will only sync manually so choose at least 30 minutes for periodic synchronization. +5. Several available resources should appear in the same window area now. Tick all checkboxes of the resources (address books and calendars) that you want to sync. Choose a synchronization period (in minutes) in the same window area before clicking on "Synchronize now". If you leave the sync at "0" it will only sync manually so choose at least 30 minutes for periodic synchronization. If you want to manually synchronize you can find this option under "Account actions" - the dropdown-menu where you added the Cal-/CardDAV account (step 2). From 669123da668b840aefc872161a74939fe823af5a Mon Sep 17 00:00:00 2001 From: Hannes Happle Date: Tue, 6 Oct 2020 22:59:09 +0200 Subject: [PATCH 015/220] Add info for SELinux systems --- docs/i_u_m_install.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 97bea2a66..7ce98460d 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -30,6 +30,28 @@ chmod +x /usr/local/bin/docker-compose Please use the latest Docker engine available and do not use the engine that ships with your distros repository. +**1\.1\.** On SELinux enabled systems (e.g. CentOS 7, CentOS Atomic, Fedora CoreOS): + +- Check if "container-selinux" package is present on your system: +``` +rpm -qa | grep container-selinux +``` +If the above command returns an empty or no output, you should install it via your package manager. + +- Check if docker has SELinux support enabled: +``` +# docker info | grep selinux +``` +If the above command returns an empty or no output, create or edit `/etc/docker/daemon.json` and add `"selinux-enabled": true`. Example file content: +``` +{ + "selinux-enabled": true +} +``` +Then restart the docker daemon and check again. + +This needs to be done so that mailcow's volumes are properly labeled as declared in the compose file. If you are interested in how this works, you can check out the Readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic. + **2\.** Clone the master branch of the repository, make sure your umask equals 0022. Please clone the repository as root user and also control the stack as root. We will modify attributes - if necessary - while boostrapping the containers automatically and make sure everything is secured. The update.sh script must therefore also be run as root. It might be necessary to change ownership and other attributes of files you will otherwise not have access to. **We drop permissions for every exposed application** and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical. ``` From fb04ab7132980d49ee7e2f9f9e0fe2e840a9f95b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 7 Oct 2020 20:18:19 +0200 Subject: [PATCH 016/220] Update build-thunderbird-plugins.sh --- docs/download/build-thunderbird-plugins.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/download/build-thunderbird-plugins.sh b/docs/download/build-thunderbird-plugins.sh index 6cc4bd23e..27f2e9ded 100755 --- a/docs/download/build-thunderbird-plugins.sh +++ b/docs/download/build-thunderbird-plugins.sh @@ -10,7 +10,7 @@ fi cd $(dirname $0) -wget -O connector.tar.gz https://github.com/inverse-inc/sogo-connector/archive/master.tar.gz +wget -O connector.tar.gz https://github.com/inverse-inc/sogo-connector/archive/sogo-connector-68.0.1.tar.gz mkdir -p connector tar --strip-components=1 -C connector -xf connector.tar.gz From c261f75f2fac838609b243cdaca1d98933d9d0a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 7 Oct 2020 20:20:28 +0200 Subject: [PATCH 017/220] Update third_party-thunderbird.md --- docs/third_party-thunderbird.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-thunderbird.md b/docs/third_party-thunderbird.md index fa46e4525..8f018c9de 100644 --- a/docs/third_party-thunderbird.md +++ b/docs/third_party-thunderbird.md @@ -24,5 +24,5 @@ echo example.com example.org | ./build-plugins.sh mailcow.example.com # Install it in Thunderbird -After you have set up your mailcow IMAP account in Thunderbird, download the SOGo Connector plugin for your domain, e.g. https://mailcow.example.com/thunderbird-plugins/sogo-connector-68.0.0-example.com.xpi, and install it into Thunderbird. +After you have set up your mailcow IMAP account in Thunderbird, download the SOGo Connector plugin for your domain, e.g. https://mailcow.example.com/thunderbird-plugins/sogo-connector-68.0.1-example.com.xpi (see `data/web/thunderbird-plugins`), and install it into Thunderbird. All your address books and calendars will be configured automatically. From 39389e238644a3a9a5c26e54d40375b3c8ed05ee Mon Sep 17 00:00:00 2001 From: Hannes Happle Date: Thu, 8 Oct 2020 09:46:24 +0200 Subject: [PATCH 018/220] Remove not officially supported OS --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 7ce98460d..74745a159 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -30,7 +30,7 @@ chmod +x /usr/local/bin/docker-compose Please use the latest Docker engine available and do not use the engine that ships with your distros repository. -**1\.1\.** On SELinux enabled systems (e.g. CentOS 7, CentOS Atomic, Fedora CoreOS): +**1\.1\.** On SELinux enabled systems, e.g. CentOS 7: - Check if "container-selinux" package is present on your system: ``` From 0125fd06fcfce87c734ad7faf22e87d4dde7d3a1 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 8 Oct 2020 09:57:12 +0200 Subject: [PATCH 019/220] Minor text change --- docs/i_u_m_install.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 74745a159..910368a40 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -33,24 +33,32 @@ Please use the latest Docker engine available and do not use the engine that shi **1\.1\.** On SELinux enabled systems, e.g. CentOS 7: - Check if "container-selinux" package is present on your system: + ``` rpm -qa | grep container-selinux ``` + If the above command returns an empty or no output, you should install it via your package manager. - Check if docker has SELinux support enabled: + ``` # docker info | grep selinux ``` + If the above command returns an empty or no output, create or edit `/etc/docker/daemon.json` and add `"selinux-enabled": true`. Example file content: + ``` { "selinux-enabled": true } ``` -Then restart the docker daemon and check again. -This needs to be done so that mailcow's volumes are properly labeled as declared in the compose file. If you are interested in how this works, you can check out the Readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic. +Restart the docker daemon and verify SELinux is now enabled. + +This step is required to make sure mailcows volumes are properly labeled as declared in the compose file. +If you are interested in how this works, you can check out the readme of https://github.com/containers/container-selinux which links to a lot of useful information on that topic. + **2\.** Clone the master branch of the repository, make sure your umask equals 0022. Please clone the repository as root user and also control the stack as root. We will modify attributes - if necessary - while boostrapping the containers automatically and make sure everything is secured. The update.sh script must therefore also be run as root. It might be necessary to change ownership and other attributes of files you will otherwise not have access to. **We drop permissions for every exposed application** and will not run an exposed service as root! Controlling the Docker daemon as non-root user does not give you additional security. The unprivileged user will spawn the containers as root likewise. The behaviour of the stack is identical. From aae8782f54076ff09ad2fda583b1f24d22830023 Mon Sep 17 00:00:00 2001 From: Hannes Happle Date: Thu, 8 Oct 2020 10:06:21 +0200 Subject: [PATCH 020/220] Removed "'#" for consistency --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 910368a40..d30d69eb3 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -43,7 +43,7 @@ If the above command returns an empty or no output, you should install it via yo - Check if docker has SELinux support enabled: ``` -# docker info | grep selinux +docker info | grep selinux ``` If the above command returns an empty or no output, create or edit `/etc/docker/daemon.json` and add `"selinux-enabled": true`. Example file content: From b573b7cd7a16f9106ae6a52ee099f8fa6bacedca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 8 Oct 2020 13:45:52 +0200 Subject: [PATCH 021/220] Update u_e-nginx.md --- docs/u_e-nginx.md | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index ee975b754..74aa36c37 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -28,6 +28,40 @@ server { } ``` +Another example with a reverse proxy configuration: + +``` hl_lines="9,21" +server { + ssl_certificate /etc/ssl/mail/cert.pem; + ssl_certificate_key /etc/ssl/mail/key.pem; + index index.php index.html; + client_max_body_size 0; + root /web; + include /etc/nginx/conf.d/listen_plain.active; + include /etc/nginx/conf.d/listen_ssl.active; + server_name example.domain.tld; + + location ^~ /.well-known/acme-challenge/ { + allow all; + default_type "text/plain"; + } + + if ($scheme = http) { + return 301 https://$host$request_uri; + } + + location / { + proxy_pass http://127.0.0.1:3000/; + proxy_set_header Host $http_host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + client_max_body_size 0; + } +} +``` + + The filename is not important, as long as the filename carries a .conf extension. It is also possible to extend the configuration of the default file `site.conf` file: From 9758615da14b9e5f48c37db61938fc16af7a35ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 8 Oct 2020 13:47:24 +0200 Subject: [PATCH 022/220] Update u_e-nginx.md --- docs/u_e-nginx.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 74aa36c37..cf390c776 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -51,7 +51,7 @@ server { } location / { - proxy_pass http://127.0.0.1:3000/; + proxy_pass http://service:3000/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; From 9236ffe75399ee0f2ead6073a5a0c83281c5becb Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 8 Oct 2020 20:08:56 +0200 Subject: [PATCH 023/220] Fix codeblock --- docs/u_e-nginx.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index cf390c776..efeace445 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -30,7 +30,7 @@ server { Another example with a reverse proxy configuration: -``` hl_lines="9,21" +``` hl_lines="9 21" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; From d6934b400ad15ca00fd4165da1140b835d920eef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 10 Oct 2020 09:35:41 +0200 Subject: [PATCH 024/220] Update i_u_m_update.md --- docs/i_u_m_update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 7683288f9..618aa5361 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -18,7 +18,7 @@ Some minor conflicts will be auto-corrected (in favour for the mailcow: dockeriz ``` # Options can be combined -# - Check for updates +# - Check for updates and show changes ./update.sh --check # Do not try to update docker-compose, **make sure to use the latest docker-compose available** From 7d8a1ba4847480a08e17a3f46f9e7a9a496245be Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 11:43:20 +0200 Subject: [PATCH 025/220] Add exchange Hybrid Setup docs --- docs/u_e-exchange-onprem.md | 65 +++++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 66 insertions(+) create mode 100644 docs/u_e-exchange-onprem.md diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md new file mode 100644 index 000000000..eaea027dd --- /dev/null +++ b/docs/u_e-exchange-onprem.md @@ -0,0 +1,65 @@ +This is a simple integration of mailcow aliases and the mailbox name into mailpiler when using IMAP authentication. + +**Disclaimer**: This is not officially maintained nor supported by the mailcow project nor its contributors. No warranty or support is being provided, however you're free to open issues on GitHub for filing a bug or provide further ideas. [GitHub repo can be found here](https://github.com/patschi/mailpiler-mailcow-integration). + +## The problem to solve + +mailpiler offers the authentication based on IMAP, for example: + +```php +$config['ENABLE_IMAP_AUTH'] = 1; +$config['IMAP_HOST'] = 'mail.example.com'; +$config['IMAP_PORT'] = 993; +$config['IMAP_SSL'] = true; +``` + +- So when you log in using `patrik@example.com`, you will only see delivered emails sent from or to this specific email address. +- When additional aliases are defined in mailcow, like `team@example.com`, you won't see emails sent to or from this email address even the fact you're a recipient of mails sent to this alias address. + +By hooking into the authentication process of mailpiler, we are able to get required data via the mailcow API during login. This fires API requests to the mailcow API (requiring read-only API access) to read out the aliases your email address participates and also the "Name" of the mailbox specified to display it on the top-right of mailpiler after login. + +Permitted email addresses can be seen in the mailpiler settings top-right after logging in. + +!!! info + This is only pulled once during the authentication process. The authorized aliases and the realname are valid for the whole duration of the user session as mailpiler sets them in the session data. If user is removed from specific alias, this will only take effect after next login. + +## The solution + +Note: File paths might vary depending on your setup. + +### Requirements + +- A working mailcow instance +- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/)) +- An mailcow API key (read-only works just fine): `Configuration & Details - Access - Read-Only Access`. Don't forget to allow API access from your mailpiler IP. + +!!! warning + As mailpiler authenticates against mailcow, our IMAP server, failed logins of users or bots might trigger a block for your mailpiler instance. Therefore you might want to consider whitelisting the IP address of the mailpiler instance within mailcow: `Configuration & Details - Configuration - Fail2ban parameters - Whitelisted networks/hosts`. + +### Setup + +1. Set the custom query function of mailpiler and append this to `/usr/local/etc/piler/config-site.php`: + + ```php + $config['MAILCOW_API_KEY'] = 'YOUR_READONLY_API_KEY'; + $config['MAILCOW_SET_REALNAME'] = true; // when not specified, then default is false + $config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'query_mailcow_for_email_access'; + include('auth-mailcow.php'); + ``` + + You can also change the mailcow hostname, if required: + ```php + $config['MAILCOW_HOST'] = 'mail.domain.tld'; // defaults to $config['IMAP_HOST'] + ``` + +2. Download the PHP file with the functions from the [GitHub repo](https://github.com/patschi/mailpiler-mailcow-integration): + + ```sh + curl -o /usr/local/etc/piler/auth-mailcow.php https://raw.githubusercontent.com/patschi/mailpiler-mailcow-integration/master/auth-mailcow.php + ``` + +3. Done! + + Make sure to re-login with your IMAP credentials for changes to take effect. + + If it doesn't work, most likely something's wrong with the API query itself. Consider debugging by sending manual API requests to the API. (Tip: Open `https://mail.domain.tld/api` on your instance) diff --git a/mkdocs.yml b/mkdocs.yml index 92e56d69a..bfad849f2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -103,6 +103,7 @@ nav: - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - 'Mailpiler Integration': 'u_e-mailpiler-integration.md' + - 'Exchange Hybrid Setup': 'u_e-exchange-onprem.md' - 'Client Configuration': - 'Overview': 'client.md' - 'Android': 'client/client-android.md' From 084e26630dde3120257c72014ab30c260d9583f8 Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 13:01:01 +0200 Subject: [PATCH 026/220] Add actual documentation --- docs/u_e-exchange-onprem.md | 84 +++++++++++++------------------------ 1 file changed, 28 insertions(+), 56 deletions(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index eaea027dd..854ce3720 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -1,65 +1,37 @@ -This is a simple integration of mailcow aliases and the mailbox name into mailpiler when using IMAP authentication. +Using Microsoft Exchange in a hybrid setup is possible with mailcow. With this setup you can add mailboxes on your mailcow and still use [Exchange Online Protection](https://docs.microsoft.com/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-worldwide). +**All mailboxes setup in Exchange will receive their mails as usual**, while with the hybrid approach additional Mailboxes can be setup in mailcow without any further configuration. -**Disclaimer**: This is not officially maintained nor supported by the mailcow project nor its contributors. No warranty or support is being provided, however you're free to open issues on GitHub for filing a bug or provide further ideas. [GitHub repo can be found here](https://github.com/patschi/mailpiler-mailcow-integration). +This setup becomes very handy if you have enabled the [Office 365 security defaults](https://docs.microsoft.com/azure/active-directory/fundamentals/concept-fundamentals-security-defaults) and third party applications can no longer login into your mailboxes by any of the [supported methods](https://docs.microsoft.com/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365). -## The problem to solve -mailpiler offers the authentication based on IMAP, for example: +## Requirements +- The mx Record of your domain needs to point at the Exchange mail service. Log into your Admin center and lookout for the dns settings of your domain to find your personalized gateway domain. It should look like this `contoso-com.mail.protection.outlook.com`. Contact your domain registrant to get further information on how to change mx record. +- The domain you want to have additional mailboxes for must be setup as `internal relay domain` in Exchange. + 1. Log in to your [Exchange Admin Center](https://admin.exchange.microsoft.com) + 2. Select the `mail flow` pane and click on `accepted domains` + 3. Select the domain and switch it from `authorative` to `internal relay` + + +## Setup the mailcow +Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record. -```php -$config['ENABLE_IMAP_AUTH'] = 1; -$config['IMAP_HOST'] = 'mail.example.com'; -$config['IMAP_PORT'] = 993; -$config['IMAP_SSL'] = true; -``` +1. Add the domain to your mailcow +2. [Add your personalized Exchange Host address as relayhost](/firststeps-relayhost) +3. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes -- So when you log in using `patrik@example.com`, you will only see delivered emails sent from or to this specific email address. -- When additional aliases are defined in mailcow, like `team@example.com`, you won't see emails sent to or from this email address even the fact you're a recipient of mails sent to this alias address. - -By hooking into the authentication process of mailpiler, we are able to get required data via the mailcow API during login. This fires API requests to the mailcow API (requiring read-only API access) to read out the aliases your email address participates and also the "Name" of the mailbox specified to display it on the top-right of mailpiler after login. - -Permitted email addresses can be seen in the mailpiler settings top-right after logging in. - -!!! info - This is only pulled once during the authentication process. The authorized aliases and the realname are valid for the whole duration of the user session as mailpiler sets them in the session data. If user is removed from specific alias, this will only take effect after next login. - -## The solution - -Note: File paths might vary depending on your setup. - -### Requirements - -- A working mailcow instance -- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/)) -- An mailcow API key (read-only works just fine): `Configuration & Details - Access - Read-Only Access`. Don't forget to allow API access from your mailpiler IP. +## Setup Connectors in Exchange +All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to setup two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the [official guide from Microsoft](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#2-set-up-a-connector-from-microsoft-365-or-office-365-to-your-email-server). !!! warning - As mailpiler authenticates against mailcow, our IMAP server, failed logins of users or bots might trigger a block for your mailpiler instance. Therefore you might want to consider whitelisting the IP address of the mailpiler instance within mailcow: `Configuration & Details - Configuration - Fail2ban parameters - Whitelisted networks/hosts`. + For the connector that handles mails from your mailcow to Exchange Microsoft offers two ways of authenticating it. The recommended way is to use a tls certificate configured with a subject name that matches an accepted domain in Exchange. Otherwise you need to choose authentication with the static ip address of your mailcow. + +## Validating +The easiest way to validate the hybrid setup is by sending a mail from the internet to a mailbox that only exists on the mailcow and vice versa. -### Setup +### Common Issues +- The connector validation from Exchange to your mailcow failed with `550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient test@contoso.com not found by SMTP address lookup` +**Possible Solution:** Your domain is not setup as `internal relay`. Exchange therefore cannot find the recipient +- Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error `550 5.7.64 TenantAttribution; Relay Access Denied` +**Possible Solution:** The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead. -1. Set the custom query function of mailpiler and append this to `/usr/local/etc/piler/config-site.php`: - - ```php - $config['MAILCOW_API_KEY'] = 'YOUR_READONLY_API_KEY'; - $config['MAILCOW_SET_REALNAME'] = true; // when not specified, then default is false - $config['CUSTOM_EMAIL_QUERY_FUNCTION'] = 'query_mailcow_for_email_access'; - include('auth-mailcow.php'); - ``` - - You can also change the mailcow hostname, if required: - ```php - $config['MAILCOW_HOST'] = 'mail.domain.tld'; // defaults to $config['IMAP_HOST'] - ``` - -2. Download the PHP file with the functions from the [GitHub repo](https://github.com/patschi/mailpiler-mailcow-integration): - - ```sh - curl -o /usr/local/etc/piler/auth-mailcow.php https://raw.githubusercontent.com/patschi/mailpiler-mailcow-integration/master/auth-mailcow.php - ``` - -3. Done! - - Make sure to re-login with your IMAP credentials for changes to take effect. - - If it doesn't work, most likely something's wrong with the API query itself. Consider debugging by sending manual API requests to the API. (Tip: Open `https://mail.domain.tld/api` on your instance) +Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/de-de/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment \ No newline at end of file From 15c69f4e8872b2fc08e54329f1510ae8611b99ae Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 13:13:40 +0200 Subject: [PATCH 027/220] Fix typo --- docs/u_e-exchange-onprem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index 854ce3720..0355e18c1 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -5,7 +5,7 @@ This setup becomes very handy if you have enabled the [Office 365 security defau ## Requirements -- The mx Record of your domain needs to point at the Exchange mail service. Log into your Admin center and lookout for the dns settings of your domain to find your personalized gateway domain. It should look like this `contoso-com.mail.protection.outlook.com`. Contact your domain registrant to get further information on how to change mx record. +- The mx Record of your domain needs to point at the Exchange mail service. Log into your Admin center and look out for the dns settings of your domain to find your personalized gateway domain. It should look like this `contoso-com.mail.protection.outlook.com`. Contact your domain registrant to get further information on how to change mx record. - The domain you want to have additional mailboxes for must be setup as `internal relay domain` in Exchange. 1. Log in to your [Exchange Admin Center](https://admin.exchange.microsoft.com) 2. Select the `mail flow` pane and click on `accepted domains` From 93a9ca6080420f270e4063aa472728fe90c4e3e3 Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 13:14:35 +0200 Subject: [PATCH 028/220] Remove language path from url --- docs/u_e-exchange-onprem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index 0355e18c1..45a389f3a 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -34,4 +34,4 @@ The easiest way to validate the hybrid setup is by sending a mail from the inter - Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error `550 5.7.64 TenantAttribution; Relay Access Denied` **Possible Solution:** The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead. -Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/de-de/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment \ No newline at end of file +Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment \ No newline at end of file From e8433348349d885c0e0e04dd51a1efaf238ced09 Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 13:37:37 +0200 Subject: [PATCH 029/220] Fix typo --- docs/u_e-exchange-onprem.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index 45a389f3a..b1d5c3b87 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -12,14 +12,14 @@ This setup becomes very handy if you have enabled the [Office 365 security defau 3. Select the domain and switch it from `authorative` to `internal relay` -## Setup the mailcow +## Set up the mailcow Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record. 1. Add the domain to your mailcow 2. [Add your personalized Exchange Host address as relayhost](/firststeps-relayhost) 3. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes -## Setup Connectors in Exchange +## Set up Connectors in Exchange All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to setup two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the [official guide from Microsoft](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#2-set-up-a-connector-from-microsoft-365-or-office-365-to-your-email-server). !!! warning @@ -30,7 +30,7 @@ The easiest way to validate the hybrid setup is by sending a mail from the inter ### Common Issues - The connector validation from Exchange to your mailcow failed with `550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient test@contoso.com not found by SMTP address lookup` -**Possible Solution:** Your domain is not setup as `internal relay`. Exchange therefore cannot find the recipient +**Possible Solution:** Your domain is not set up as `internal relay`. Exchange therefore cannot find the recipient - Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error `550 5.7.64 TenantAttribution; Relay Access Denied` **Possible Solution:** The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead. From 68e5b3f32a2917833151c026d5c09767d270ee51 Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sat, 10 Oct 2020 16:38:41 +0200 Subject: [PATCH 030/220] Add notice of broken inbound filtering Add "forwarding host" step --- docs/u_e-exchange-onprem.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index b1d5c3b87..02935496a 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -17,7 +17,12 @@ Your mailcow needs to relay all mails to your personalized Exchange Host. It is 1. Add the domain to your mailcow 2. [Add your personalized Exchange Host address as relayhost](/firststeps-relayhost) -3. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes +3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. +4. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes + +!!! info + From now on your mailcow will accept all mails relayed from Exchange. The **inbound filtering and so the neural learning of your cow will no longer work**. Because all mails are routed through Exchange the [filtering process is handled there](https://docs.microsoft.com/exchange/antispam-and-antimalware/antispam-and-antimalware?view=exchserver-2019). + ## Set up Connectors in Exchange All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to setup two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the [official guide from Microsoft](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#2-set-up-a-connector-from-microsoft-365-or-office-365-to-your-email-server). From 8b143840f7c8ba206214d7995b79c750954d297a Mon Sep 17 00:00:00 2001 From: Justin Vogt Date: Sun, 11 Oct 2020 22:30:46 +0200 Subject: [PATCH 031/220] Fix typo Add Path to Forwarding Hosts menu --- docs/u_e-exchange-onprem.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-exchange-onprem.md b/docs/u_e-exchange-onprem.md index 02935496a..be105b60c 100644 --- a/docs/u_e-exchange-onprem.md +++ b/docs/u_e-exchange-onprem.md @@ -17,7 +17,7 @@ Your mailcow needs to relay all mails to your personalized Exchange Host. It is 1. Add the domain to your mailcow 2. [Add your personalized Exchange Host address as relayhost](/firststeps-relayhost) -3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. +3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin > Configuration & Details > Configuration Dropdown > Forwarding Hosts) 4. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes !!! info @@ -25,7 +25,7 @@ Your mailcow needs to relay all mails to your personalized Exchange Host. It is ## Set up Connectors in Exchange -All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to setup two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the [official guide from Microsoft](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#2-set-up-a-connector-from-microsoft-365-or-office-365-to-your-email-server). +All mail traffic now goes through Exchange. At this point the Exchange Online Protection already filters all incoming and outgoing mails. Now we need to set up two connectors to relay incoming mails from our Exchange Service to the mailcow and another one to allow mails relayed from the mailcow to our exchange service. You can follow the [official guide from Microsoft](https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#2-set-up-a-connector-from-microsoft-365-or-office-365-to-your-email-server). !!! warning For the connector that handles mails from your mailcow to Exchange Microsoft offers two ways of authenticating it. The recommended way is to use a tls certificate configured with a subject name that matches an accepted domain in Exchange. Otherwise you need to choose authentication with the static ip address of your mailcow. From 5cd3a62b2cce501a51a96598544826d296f6c45c Mon Sep 17 00:00:00 2001 From: heavygale Date: Tue, 13 Oct 2020 19:05:25 +0200 Subject: [PATCH 032/220] Update third_party-nextcloud.md --- docs/third_party-nextcloud.md | 66 +++++++++++++++++++++-------------- 1 file changed, 39 insertions(+), 27 deletions(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 8d050de4f..b1e61241b 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -1,7 +1,16 @@ -NextCloud can be set up with the [helper script](https://github.com/mailcow/mailcow-dockerized/raw/master/helper-scripts/nextcloud.sh) included with mailcow. You can also set up NextCloud on a different server and still use mailcow for authentication. -In the following, we will only assume that you have already set up NextCloud at _cloud.example.com_ and that your mailcow is running at _mail.example.com_. -To set up authentication via mailcow, you can use OAuth2 as described below. +## Manage the Nextcloud using the helper script + +Nextcloud can be set up (parameter `-i`) and removed (parameter `-p`) with the [helper script](https://github.com/mailcow/mailcow-dockerized/raw/master/helper-scripts/nextcloud.sh) included with mailcow. In order to install Nextcloud simply navigate to your mailcow-dockerized root folder and run the helper script as follows: + +`./helper-scripts/nextcloud.sh -i` + +Calling the helper script with `-r` as parameter allows you to reset the password for any given Nextcloud in case you have forgotten the admin password and can't request a new one [via the password reset link on the login screen](https://docs.nextcloud.com/server/20/admin_manual/configuration_user/reset_admin_password.html?highlight=reset). Only use this option if your Nextcloud isn't configured to use mailcow for authentication as described in the next section. + + +## Configure Nextcloud to use mailcow for authentication + +The following describes how set up authentication via mailcow using the OAuth2 protocol. We will only assume that you have already set up Nextcloud at _cloud.example.com_ and that your mailcow is running at _mail.example.com_. It does not matter if your Nextcloud is running on a different server, you can still use mailcow for authentication. 1. Log into mailcow as administrator. 2. Scroll down to _OAuth2 Apps_ and click the _Add_ button. Specify the redirect URI as `https://cloud.example.com/index.php/apps/sociallogin/custom_oauth2/Mailcow` and click _Add_. Save the client ID and secret for later. @@ -9,39 +18,42 @@ To set up authentication via mailcow, you can use OAuth2 as described below. !!! info Some installations, including those setup using the helper script of mailcow, need to remove index.php/ from the URL to get a successful redirect: `https://cloud.example.com/apps/sociallogin/custom_oauth2/Mailcow` -3. Log into NextCloud as administrator. +3. Log into Nextcloud as administrator. 4. Click the button in the top right corner and select _Apps_. Click the search button in the toolbar, search for the [_Social Login_](https://apps.nextcloud.com/apps/sociallogin) plugin and click _Download and enable_ next to it. 5. Click the button in the top right corner and select _Settings_. Scroll down to the _Administration_ section on the left and click _Social login_. 6. Uncheck the following items: - - _Disable auto create new users_, - - _Allow users to connect social logins with their accounts_, - - _Do not prune not available user groups on login_, - - _Automatically create groups if they do not exists_, - - _Restrict login for users without mapped groups_, - and check the following items: - - _Prevent creating an account if the email address exists in another account_, - - _Update user profile every login_, - - _Disable notify admins about new users_. +- _Disable auto create new users_, +- _Allow users to connect social logins with their accounts_, +- _Do not prune not available user groups on login_, +- _Automatically create groups if they do not exists_, +- _Restrict login for users without mapped groups_, - Click the _Save_ button. +and check the following items: -7. Scroll down to _Custom OAuth2_ and click the _+_ button. +- _Prevent creating an account if the email address exists in another account_, +- _Update user profile every login_, +- _Disable notify admins about new users_. + +Click the _Save_ button. + +7. Scroll down to _Custom OAuth2_ and click the _+_ button. 8. Configure the parameters as follows: - - Internal name: `Mailcow` - - Title: `Mailcow` - - API Base URL: `https://mail.example.com` - - Authorize URL: `https://mail.example.com/oauth/authorize` - - Token URL: `https://mail.example.com/oauth/token` - - Profile URL: `https://mail.example.com/oauth/profile` - - Logout URL: (leave blank) - - Client ID: (what you obtained in step 1) - - Client Secret: (what you obtained in step 1) - - Scope: `profile` + +- Internal name: `Mailcow` +- Title: `Mailcow` +- API Base URL: `https://mail.example.com` +- Authorize URL: `https://mail.example.com/oauth/authorize` +- Token URL: `https://mail.example.com/oauth/token` +- Profile URL: `https://mail.example.com/oauth/profile` +- Logout URL: (leave blank) +- Client ID: (what you obtained in step 1) +- Client Secret: (what you obtained in step 1) +- Scope: `profile` Click the _Save_ button at the very bottom of the page. -If you have previously used NextCloud with mailcow authentication via user\_external/IMAP, you need to perform some additional steps to link your existing user accounts with OAuth2. +If you have previously used Nextcloud with mailcow authentication via user\_external/IMAP, you need to perform some additional steps to link your existing user accounts with OAuth2. 1. Click the button in the top right corner and select _Apps_. Scroll down to the _External user authentication_ app and click _Remove_ next to it. 2. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): @@ -50,7 +62,7 @@ INSERT INTO nc_users (uid, uid_lower) SELECT DISTINCT uid, LOWER(uid) FROM nc_us INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT("Mailcow-", uid) FROM nc_users_external; ``` -If you have previously used NextCloud without mailcow authentication, but with the same usernames as mailcow, you can also link your existing user accounts with OAuth2. +If you have previously used Nextcloud without mailcow authentication, but with the same usernames as mailcow, you can also link your existing user accounts with OAuth2. 1. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): ``` From d109943081aae6d24c5683aefd8a724852267fa9 Mon Sep 17 00:00:00 2001 From: heavygale Date: Tue, 13 Oct 2020 19:08:40 +0200 Subject: [PATCH 033/220] Update third_party-nextcloud.md --- docs/third_party-nextcloud.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index b1e61241b..253c3b2a9 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -1,12 +1,11 @@ -## Manage the Nextcloud using the helper script +## Manage Nextcloud using the helper script Nextcloud can be set up (parameter `-i`) and removed (parameter `-p`) with the [helper script](https://github.com/mailcow/mailcow-dockerized/raw/master/helper-scripts/nextcloud.sh) included with mailcow. In order to install Nextcloud simply navigate to your mailcow-dockerized root folder and run the helper script as follows: `./helper-scripts/nextcloud.sh -i` -Calling the helper script with `-r` as parameter allows you to reset the password for any given Nextcloud in case you have forgotten the admin password and can't request a new one [via the password reset link on the login screen](https://docs.nextcloud.com/server/20/admin_manual/configuration_user/reset_admin_password.html?highlight=reset). Only use this option if your Nextcloud isn't configured to use mailcow for authentication as described in the next section. - +In case you have forgotten the password (e.g. for admin) and can't request a new one [via the password reset link on the login screen](https://docs.nextcloud.com/server/20/admin_manual/configuration_user/reset_admin_password.html?highlight=reset) calling the helper script with `-r` as parameter allows you to set a new password. Only use this option if your Nextcloud isn't configured to use mailcow for authentication as described in the next section. ## Configure Nextcloud to use mailcow for authentication From f4d61bc7bc3fc88d2eccb52145c916f602d514ae Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 13 Oct 2020 21:49:44 +0200 Subject: [PATCH 034/220] Formatting --- docs/third_party-nextcloud.md | 48 ++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 20 deletions(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 253c3b2a9..c6466b7de 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -11,33 +11,37 @@ In case you have forgotten the password (e.g. for admin) and can't request a new The following describes how set up authentication via mailcow using the OAuth2 protocol. We will only assume that you have already set up Nextcloud at _cloud.example.com_ and that your mailcow is running at _mail.example.com_. It does not matter if your Nextcloud is running on a different server, you can still use mailcow for authentication. -1. Log into mailcow as administrator. -2. Scroll down to _OAuth2 Apps_ and click the _Add_ button. Specify the redirect URI as `https://cloud.example.com/index.php/apps/sociallogin/custom_oauth2/Mailcow` and click _Add_. Save the client ID and secret for later. +1\. Log into mailcow as administrator. + +2\. Scroll down to _OAuth2 Apps_ and click the _Add_ button. Specify the redirect URI as `https://cloud.example.com/index.php/apps/sociallogin/custom_oauth2/Mailcow` and click _Add_. Save the client ID and secret for later. !!! info Some installations, including those setup using the helper script of mailcow, need to remove index.php/ from the URL to get a successful redirect: `https://cloud.example.com/apps/sociallogin/custom_oauth2/Mailcow` -3. Log into Nextcloud as administrator. -4. Click the button in the top right corner and select _Apps_. Click the search button in the toolbar, search for the [_Social Login_](https://apps.nextcloud.com/apps/sociallogin) plugin and click _Download and enable_ next to it. -5. Click the button in the top right corner and select _Settings_. Scroll down to the _Administration_ section on the left and click _Social login_. -6. Uncheck the following items: +3\. Log into Nextcloud as administrator. -- _Disable auto create new users_, -- _Allow users to connect social logins with their accounts_, -- _Do not prune not available user groups on login_, -- _Automatically create groups if they do not exists_, -- _Restrict login for users without mapped groups_, +4\. Click the button in the top right corner and select _Apps_. Click the search button in the toolbar, search for the [_Social Login_](https://apps.nextcloud.com/apps/sociallogin) plugin and click _Download and enable_ next to it. -and check the following items: +5\. Click the button in the top right corner and select _Settings_. Scroll down to the _Administration_ section on the left and click _Social login_. -- _Prevent creating an account if the email address exists in another account_, -- _Update user profile every login_, -- _Disable notify admins about new users_. +6\. Uncheck the following items: + +- "Disable auto create new users" +- "Allow users to connect social logins with their accounts" +- "Do not prune not available user groups on login" +- "Automatically create groups if they do not exists" +- "Restrict login for users without mapped groups" + +7\. Check the following items: + +- "Prevent creating an account if the email address exists in another account" +- "Update user profile every login" +- "Disable notify admins about new users" Click the _Save_ button. -7. Scroll down to _Custom OAuth2_ and click the _+_ button. -8. Configure the parameters as follows: +8\. Scroll down to _Custom OAuth2_ and click the _+_ button. +9\. Configure the parameters as follows: - Internal name: `Mailcow` - Title: `Mailcow` @@ -52,18 +56,22 @@ Click the _Save_ button. Click the _Save_ button at the very bottom of the page. +--- + If you have previously used Nextcloud with mailcow authentication via user\_external/IMAP, you need to perform some additional steps to link your existing user accounts with OAuth2. -1. Click the button in the top right corner and select _Apps_. Scroll down to the _External user authentication_ app and click _Remove_ next to it. -2. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): +1\. Click the button in the top right corner and select _Apps_. Scroll down to the _External user authentication_ app and click _Remove_ next to it. +2\. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): ``` INSERT INTO nc_users (uid, uid_lower) SELECT DISTINCT uid, LOWER(uid) FROM nc_users_external; INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT("Mailcow-", uid) FROM nc_users_external; ``` +--- + If you have previously used Nextcloud without mailcow authentication, but with the same usernames as mailcow, you can also link your existing user accounts with OAuth2. -1. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): +1\. Run the following queries in your Nextcloud database (if you set up Nextcloud using mailcow's script, you can run `source mailcow.conf && docker-compose exec mysql-mailcow mysql -u$DBUSER -p$DBPASS $DBNAME`): ``` INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT("Mailcow-", uid) FROM nc_users; ``` From a8b8b9d7b289796303f45d7a311a6b19b0f4514f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 20:29:56 -0400 Subject: [PATCH 035/220] Added headers, and new resources Added headers to the advanced dns configuration table as well as dkim spft and dmarc sections, for better readability and clarity, as well as to match the top portion which has headers. Also added MultiRBL.valli.org as a resource for testing DNSBL, RBL, and FCrDNS. And lastly added Postmark as an alternative suggestion for gmail's postmaster under misc. --- docs/prerequisite-dns.md | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index a5f29fdbf..d37d7ef3b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -31,18 +31,21 @@ autoconfig IN CNAME mail In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading. ``` +# Name Type Value @ IN TXT "v=spf1 mx a -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. ``` +# Name Type Value dkim._domainkey IN TXT "v=DKIM1; k=rsa; t=s; s=email; p=..." ``` The last step in protecting yourself and others is the implementation of a **DMARC** TXT record, for example by using the [DMARC Assistant](http://www.kitterman.com/dmarc/assistant.html) ([check](https://dmarcian.com/dmarc-inspector/google.com)). ``` +# Name Type Value _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@example.org" ``` @@ -51,18 +54,19 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ **SRV** records specify the server(s) for a specific protocol on your domain. If you want to explicitly announce a service as not provided, give "." as the target address (instead of "mail.example.org."). Please refer to [RFC 2782](https://tools.ietf.org/html/rfc2782). ``` -_imap._tcp IN SRV 0 1 143 mail.example.org. -_imaps._tcp IN SRV 0 1 993 mail.example.org. -_pop3._tcp IN SRV 0 1 110 mail.example.org. -_pop3s._tcp IN SRV 0 1 995 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. -_sieve._tcp IN SRV 0 1 4190 mail.example.org. -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN TXT "path=/SOGo/dav/" -_caldavs._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN TXT "path=/SOGo/dav/" +# Name Type Priority Weight Port Value +_imap._tcp IN SRV 0 1 143 mail.example.org. +_imaps._tcp IN SRV 0 1 993 mail.example.org. +_pop3._tcp IN SRV 0 1 110 mail.example.org. +_pop3s._tcp IN SRV 0 1 995 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. +_smtps._tcp IN SRV 0 1 465 mail.example.org. +_sieve._tcp IN SRV 0 1 4190 mail.example.org. +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN TXT "path=/SOGo/dav/" +_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN TXT "path=/SOGo/dav/" ``` ## Testing @@ -73,10 +77,11 @@ Here are some tools you can use to verify your DNS configuration: - [port25.com](https://www.port25.com/dkim-wizard/) (DKIM, SPF) - [Mail-tester](https://www.mail-tester.com/) (DKIM, DMARC, SPF) - [DMARC Analyzer](https://www.dmarcanalyzer.com/spf/checker/) (DMARC, SPF) +- [MultiRBL.valli.org](http://multirbl.valli.org/) (DNSBL, RBL, FCrDNS) ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. This is clearly optional. +If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. ``` @ IN TXT "google-site-verification=..." From 1d536f7850edbcfa1ed3b0b5b6eb383b978b3b1a Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:04:40 -0400 Subject: [PATCH 036/220] Edited DMARC with more resources, and added table - Edited DMARC section with more resources than my original PR. - Moved some stuff around and added in the DMARC section. - Added a table to the DMARC section to match the above. --- docs/prerequisite-dns.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index d37d7ef3b..7c29aec89 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -81,10 +81,27 @@ Here are some tools you can use to verify your DNS configuration: ## Misc -If you are interested in statistics, you can additionally register with the [Postmaster Tool](https://gmail.com/postmaster) by Google and supply a **google-site-verification** TXT record, which will give you details about spam-classified mails by your domain. Another alternative service is [Postmark](https://dmarc.postmarkapp.com) These are clearly optional. +### Optional DMARC Statistics +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. + +- [Postmaster Tool](https://gmail.com/postmaster) +- [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) +- [Fraudmarc](https://fraudmarc.com/) +- [Postmark](https://dmarc.postmarkapp.com) +- [Dmarcian](https://dmarcian.com/) + +The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. +Using Google Postmaster as an example: ``` + +# Name Type Value + @ IN TXT "google-site-verification=..." + ``` + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From a50b53bd9d02b7625b7bbd14c960acb6a7f66d5f Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:09:07 -0400 Subject: [PATCH 037/220] Minor edit to DMARC stats section --- docs/prerequisite-dns.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 7c29aec89..3296ea577 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -103,5 +103,6 @@ Using Google Postmaster as an example: ``` +However, ensure to read documentation from the service you choose, as this process may vary. [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From ed4e12f2e2d11c745aec85df9d6e879294f3ad4e Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Tue, 13 Oct 2020 21:12:14 -0400 Subject: [PATCH 038/220] Removed line breaks from dmarc & added a reference --- docs/prerequisite-dns.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3296ea577..73f085cf1 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,6 +8,9 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) +- A thorough guide on DMARC +[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) + ## Reverse DNS of your IP @@ -96,11 +99,9 @@ The services should provide you with a TXT record, which will give you details a Using Google Postmaster as an example: ``` - # Name Type Value @ IN TXT "google-site-verification=..." - ``` However, ensure to read documentation from the service you choose, as this process may vary. From 75d481fa1121ba153ce59c4ed2eaabe893fe43d4 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Wed, 14 Oct 2020 09:57:48 -0400 Subject: [PATCH 039/220] Added missing quotes and colan to new reference --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 73f085cf1..e89fc6393 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -8,8 +8,8 @@ Below you can find a list of **recommended DNS records**. While some are mandato ["Best Practices on Email Protection: SPF, DKIM and DMARC"](https://wiki.zimbra.com/wiki/Best_Practices_on_Email_Protection:_SPF,_DKIM_and_DMARC) - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) -- A thorough guide on DMARC -[Demystifying DMARC: A guide to preventing email spoofing](https://seanthegeek.net/459/demystifying-dmarc/) +- A thorough guide on understanding DMARC: +["Demystifying DMARC: A guide to preventing email spoofing"](https://seanthegeek.net/459/demystifying-dmarc/) ## Reverse DNS of your IP From 789eaa6cd7fe37cf65a2eb36af4f035d80f96b1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 14 Oct 2020 22:12:06 +0200 Subject: [PATCH 040/220] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 50b708c0f..dd2a99b18 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -2,9 +2,9 @@ Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.8/roundcubemail-1.4.8-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.9/roundcubemail-1.4.9-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.8 rc +mv roundcubemail-1.4.9 rc # Change permissions chown -R root: rc/ ``` From c5a20eb5219502a0449b4d0c62eb6d20873f90b9 Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 20 Oct 2020 15:42:18 +0200 Subject: [PATCH 041/220] Add Dovecot master instructions --- docs/u_e-dovecot-static_master.md | 21 +++++++++++++++++++++ mkdocs.yml | 7 ++++--- 2 files changed, 25 insertions(+), 3 deletions(-) create mode 100644 docs/u_e-dovecot-static_master.md diff --git a/docs/u_e-dovecot-static_master.md b/docs/u_e-dovecot-static_master.md new file mode 100644 index 000000000..99503572b --- /dev/null +++ b/docs/u_e-dovecot-static_master.md @@ -0,0 +1,21 @@ +Random master usernames and passwords are automatically created on every restart of dovecot-mailcow. + +**That's recommended and should not be changed.** + +If you need the user to be static anyway, please specify two variables in `mailcow.conf`. + +**Both** parameters must not be empty! + +``` +DOVECOT_MASTER_USER=mymasteruser +DOVECOT_MASTER_PASS=mysecretpass +``` + +Run `docker-compose up -d` to apply your changes. + +The static master username will be expanded to `DOVECOT_MASTER_USER@mailcow.local`. + +To login as `test@example.org` this would equal to `test@example.org*mymasteruser@mailcow.local` with the specified password above. + +A login to SOGo is not possible with this username. A click-to-login function for SOGo is available for admins as described [https://mailcow.github.io/mailcow-dockerized-docs/debug-admin_login_sogo/](here). +No master user is required. diff --git a/mkdocs.yml b/mkdocs.yml index bfad849f2..ac539bb05 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -79,14 +79,15 @@ nav: - 'Using an external DNS service': 'u_e-unbound-fwd.md' - 'Dovecot': - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - - 'Public folders': 'u_e-dovecot-public_folder.md' - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' + - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' - 'Move vmail volume': 'u_e-dovecot-vmail-volume.md' - - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'Public folders': 'u_e-dovecot-public_folder.md' + - 'Static master user': 'u_e-dovecot-static_master.md' - 'Nginx': - 'Custom sites': 'u_e-nginx.md' - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' From abc4a3ee99c406041eb17de20ff552556d78202a Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 20 Oct 2020 15:50:49 +0200 Subject: [PATCH 042/220] Fixes --- docs/restrictions_ip_accss.md | 13 +++++++++++++ docs/u_e-dovecot-static_master.md | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 docs/restrictions_ip_accss.md diff --git a/docs/restrictions_ip_accss.md b/docs/restrictions_ip_accss.md new file mode 100644 index 000000000..2c23ba6c8 --- /dev/null +++ b/docs/restrictions_ip_accss.md @@ -0,0 +1,13 @@ +# Protocol restrictions and IP access + +Denied access will be shown to the user as failed login attempts. + +## Protocol restrictions in Dovecot + +Protocol restrictions work by filtering the passdb query for IMAP and POP3 as well as reading the JSON value for %s_access where %s reflects the protocol seen by Dovecot. + +In the future we may use virtual colums in SQL to add an index on these values. + +## Protocol restrictions in Postfix + +Filtering SMTP protocol access works by using a check_sasl_map in the smtpd_recipient_restrictions. diff --git a/docs/u_e-dovecot-static_master.md b/docs/u_e-dovecot-static_master.md index 99503572b..08c489a95 100644 --- a/docs/u_e-dovecot-static_master.md +++ b/docs/u_e-dovecot-static_master.md @@ -17,5 +17,5 @@ The static master username will be expanded to `DOVECOT_MASTER_USER@mailcow.loca To login as `test@example.org` this would equal to `test@example.org*mymasteruser@mailcow.local` with the specified password above. -A login to SOGo is not possible with this username. A click-to-login function for SOGo is available for admins as described [https://mailcow.github.io/mailcow-dockerized-docs/debug-admin_login_sogo/](here). +A login to SOGo is not possible with this username. A click-to-login function for SOGo is available for admins as described [here](https://mailcow.github.io/mailcow-dockerized-docs/debug-admin_login_sogo/) No master user is required. From aff106e91fe2824723642b9c8d77a9edc9f2d8ae Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 20 Oct 2020 15:51:20 +0200 Subject: [PATCH 043/220] wip... --- docs/restrictions_ip_accss.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/restrictions_ip_accss.md b/docs/restrictions_ip_accss.md index 2c23ba6c8..f5ae09df4 100644 --- a/docs/restrictions_ip_accss.md +++ b/docs/restrictions_ip_accss.md @@ -1,3 +1,5 @@ +_WIP_ + # Protocol restrictions and IP access Denied access will be shown to the user as failed login attempts. From fb8c386dff2a96fed67de602a3e185bb968b7534 Mon Sep 17 00:00:00 2001 From: heavygale Date: Tue, 20 Oct 2020 21:32:00 +0200 Subject: [PATCH 044/220] Some fixes and improvements Fixed broken links and listings, some minor typos, and some added information. --- docs/debug-attach_service.md | 2 ++ docs/debug-common_problems.md | 6 ++--- docs/firststeps-rspamd_ui.md | 2 +- docs/firststeps-snat.md | 4 +--- docs/firststeps-ssl.md | 33 ++++++++++++++------------ docs/firststeps-sync_jobs_migration.md | 4 ++-- docs/i_u_m_install.md | 8 +++---- docs/prerequisite-dns.md | 8 +++---- 8 files changed, 35 insertions(+), 32 deletions(-) diff --git a/docs/debug-attach_service.md b/docs/debug-attach_service.md index e20719995..8fde69614 100644 --- a/docs/debug-attach_service.md +++ b/docs/debug-attach_service.md @@ -36,6 +36,8 @@ Here is a brief overview of what container / service does what: | redis-mailcow | Storage back-end for DKIM keys and Rspamd | | rspamd-mailcow | Mail filtering system. Used for av handling, dkim signing, spam handling | | clamd-mailcow | Scans attachments for viruses | +| olefy-mailcow | Scans attached office documents for macro-viruses | +| solr-mailcow | Provides full-text search in Dovecot | | sogo-mailcow | Webmail client that handles Microsoft ActiveSync and Cal- / CardDav | | nginx-mailcow | Nginx remote proxy that handles all mailcow related HTTP / HTTPS requests | | acme-mailcow | Automates HTTPS (SSL/TLS) certificate deployment | diff --git a/docs/debug-common_problems.md b/docs/debug-common_problems.md index 7954a4529..dbc5ace30 100644 --- a/docs/debug-common_problems.md +++ b/docs/debug-common_problems.md @@ -10,7 +10,7 @@ Please check in your mailcow UI if you made the domain a **backup MX**: There are a lot of things that could prevent you from sending mail: -- Check if your IP is on any blacklists. You could use [dnsbl.info](http://www.dnsbl.info/) or any other similar service to check for your IP. +- Check if your IP address is on any blacklists. You could use [dnsbl.info](http://www.dnsbl.info/) or any other similar service to check for your IP address. - There are some consumer ISP routers out there, that block mail ports for non whitelisted domains. Please check if you can reach your server on the ports `465` or `587`: ``` @@ -40,7 +40,7 @@ This error tries to tell you that one of the (health) conditions for a certain c A wrong configured firewall could also cause such a failure. The containers need to be able to talk to each other over the network 172.22.1.1/24. -It might also be wrongly linked file (i.e. SSL certificate) that prevents a crucial container (nginx) from starting, so always check your logs to get an Idea where your problem is coming from. +It might also be wrongly linked file (i.e. SSL certificate) that prevents a crucial container (nginx) from starting, so always check your logs to get an idea where your problem is coming from. ## Address already in use @@ -51,7 +51,7 @@ If you get an error message like: ERROR: for postfix-mailcow Cannot start service postfix-mailcow: driver failed programming external connectivity on endpoint mailcowdockerized_postfix-mailcow_1: Error starting userland proxy: listen tcp 0.0.0.0:25: bind: address already in use ``` -while trying to start / install mailcow: dockerized, make sure you've followed our section on the [prerequisites](prerequisite-system/#firewall-ports). +while trying to start / install mailcow: dockerized, make sure you've followed our section on the [prerequisites](../prerequisite-system/#firewall-ports). ## XYZ can't connect to ... diff --git a/docs/firststeps-rspamd_ui.md b/docs/firststeps-rspamd_ui.md index fb0b49a96..01ae321f1 100644 --- a/docs/firststeps-rspamd_ui.md +++ b/docs/firststeps-rspamd_ui.md @@ -1,4 +1,4 @@ -Rspamd (https://rspamd.com/webui/) is an easy to use spam filtering tool presently installed with mailcow. +[Rspamd](https://rspamd.com/) is an easy to use spam filtering tool presently installed with mailcow. 1. Go to the mailcow web admin interface 2. Navigate to the Access tab. (Configuration > Administration > Access) diff --git a/docs/firststeps-snat.md b/docs/firststeps-snat.md index 3f6179b7e..bdaf53b2e 100644 --- a/docs/firststeps-snat.md +++ b/docs/firststeps-snat.md @@ -1,7 +1,5 @@ -## SNAT - SNAT is used to change the source address of the packets sent by mailcow. -It can be used to change the outgoing IP on systems with multiple IP addresses. +It can be used to change the outgoing IP address on systems with multiple IP addresses. Open `mailcow.conf`, set either or both of the following parameters: diff --git a/docs/firststeps-ssl.md b/docs/firststeps-ssl.md index 0d9176ac7..8fc2a1656 100644 --- a/docs/firststeps-ssl.md +++ b/docs/firststeps-ssl.md @@ -4,10 +4,10 @@ The "acme-mailcow" container will try to obtain a LE certificate for `${MAILCOW_ !!! warning mailcow **must** be available on port 80 for the acme-client to work. Our reverse proxy example configurations do cover that. You can also use any external ACME client (certbot for example) to obtain certificates, but you will need to make sure, that they are copied to the correct location and a post-hook reloads affected containers. See more in the Reverse Proxy documentation. - + By default, which means **0 domains** are added to mailcow, it will try to obtain a certificate for `${MAILCOW_HOSTNAME}`. -For each domain you add, it will try to resolve `autodiscover.ADDED_MAIL_DOMAIN` and `autoconfig.ADDED_MAIL_DOMAIN` to its IPv6 or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request. +For each domain you add, it will try to resolve `autodiscover.ADDED_MAIL_DOMAIN` and `autoconfig.ADDED_MAIL_DOMAIN` to its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. If it succeeds, a name will be added as SAN to the certificate request. Only names that can be validated, will be added as SAN. @@ -25,7 +25,7 @@ Do not use quotes (`"`) and do not use spaces between the names! ADDITIONAL_SAN=smtp.*,cert1.example.com,cert2.example.org,whatever.* ``` -Each name will be validated against its IPv6 or - if IPv6 is not configured in your domain - IPv4 address. +Each name will be validated against its IPv6 address or - if IPv6 is not configured in your domain - IPv4 address. A wildcard name like `smtp.*` will try to obtain a smtp.DOMAIN_NAME SAN for each domain added to mailcow. @@ -47,9 +47,9 @@ The file will be deleted automatically. ### Validation errors and how to skip validation -You can skip the **IP verification** by setting `SKIP_IP_CHECK=y` in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts. +You can skip the **IP verification** by setting `SKIP_IP_CHECK=y` in mailcow.conf (no quotes). Be warned that a misconfiguration will get you ratelimited by Let's Encrypt! This is primarily useful for multi-IP setups where the IP check would return the incorrect source IP address. Due to using dynamic IPs for acme-mailcow, source NAT is not consistent over restarts. -If you encounter problems with "HTTP validation", but your IP confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from `br-mailcow` to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (`docker-compose down`), stop the firewall service, flush the chains and restart Docker. +If you encounter problems with "HTTP validation", but your IP address confirmation succeeds, you are most likely using firewalld, ufw or any other firewall, that disallows connections from `br-mailcow` to your external interface. Both firewalld and ufw disallow this by default. It is often not enough to just stop these firewall services. You'd need to stop mailcow (`docker-compose down`), stop the firewall service, flush the chains and restart Docker. You can also skip this validation method by setting `SKIP_HTTP_VERIFICATION=y` in "mailcow.conf". Be warned that this is discouraged. In most cases, the HTTP verification is skipped to workaround unknown NAT reflection issues, which are not resolved by ignoring this specific network misconfiguration. If you encounter problems generating TLSA records in the DNS overview within mailcow, you are most likely having issues with NAT reflection you should fix. @@ -73,9 +73,10 @@ By default, "acme-mailcow" will create a single SAN certificate for all validate This provides best compatibility but means the Let's Encrypt limit exceeds if you add too many domains to a single mailcow installation. To solve this, you can configure `ENABLE_SSL_SNI` to generate: -* A main server certificate with `MAILCOW_HOSTNAME` and all fully qualified domain names in the `ADDITIONAL_SAN` config -* One additional certificate for each domain found in the database with autodiscover.*, autoconfig.* and any other `ADDITIONAL_SAN` configured in this format (subdomain.*). -* Limitations: A certificate name `ADDITIONAL_SAN=test.example.com` will be added as SAN to the main certificate. A separate certificate/key pair will **not** be generated for this format. + +- A main server certificate with `MAILCOW_HOSTNAME` and all fully qualified domain names in the `ADDITIONAL_SAN` config +- One additional certificate for each domain found in the database with autodiscover.*, autoconfig.* and any other `ADDITIONAL_SAN` configured in this format (subdomain.*). +- Limitations: A certificate name `ADDITIONAL_SAN=test.example.com` will be added as SAN to the main certificate. A separate certificate/key pair will **not** be generated for this format. Postfix, Dovecot and Nginx will then serve these certificates with SNI. @@ -86,14 +87,16 @@ Set `ENABLE_SSL_SNI=y` in "mailcow.conf" and recreate "acme-mailcow" by running You should make sure these clients use the `MAILCOW_HOSTNAME` for secure connections if you enable this feature. Here is an example: -* `MAILCOW_HOSTNAME=server.email.tld` -* `ADDITIONAL_SAN=webmail.email.tld,mail.*` -* Mailcow email domains: "domain1.tld" and "domain2.tld" + +- `MAILCOW_HOSTNAME=server.email.tld` +- `ADDITIONAL_SAN=webmail.email.tld,mail.*` +- Mailcow email domains: "domain1.tld" and "domain2.tld" The following certificates will be generated: -* `server.email.tld, webmail.email.tld` -> this is the default certificate, all clients can connect with these domains -* `mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld` -> individual certificate for domain1.tld, cannot be used by clients without SNI support -* `mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld` -> individual certificate for domain2.tld, cannot be used by clients without SNI support + +- `server.email.tld, webmail.email.tld` -> this is the default certificate, all clients can connect with these domains +- `mail.domain1.tld, autoconfig.domain1.tld, autodiscover.domain1.tld` -> individual certificate for domain1.tld, cannot be used by clients without SNI support +- `mail.domain2.tld, autoconfig.domain2.tld, autodiscover.domain2.tld` -> individual certificate for domain2.tld, cannot be used by clients without SNI support ### How to use your own certificate @@ -111,7 +114,7 @@ docker restart $(docker ps -qaf name=nginx-mailcow) docker restart $(docker ps -qaf name=dovecot-mailcow) ``` -See https://mailcow.github.io/mailcow-dockerized-docs/firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients for a full example script. +See [Post-hook script for non-mailcow ACME clients](../firststeps-rp/#optional-post-hook-script-for-non-mailcow-acme-clients) for a full example script. ### Test against staging ACME directory diff --git a/docs/firststeps-sync_jobs_migration.md b/docs/firststeps-sync_jobs_migration.md index 120118498..a519461f4 100644 --- a/docs/firststeps-sync_jobs_migration.md +++ b/docs/firststeps-sync_jobs_migration.md @@ -10,7 +10,7 @@ Sync jobs are used to copy or move existing emails from an external IMAP server 3. Fill in the "Host" and "Port" fields with their respective correct values from the upstream IMAP server. -4. In the "Username" and 'Password" fields, supply the correct access credentials from the upstream IMAP server. +4. In the "Username" and "Password" fields, supply the correct access credentials from the upstream IMAP server. 5. Select the "Encryption Method". If the upstream IMAP server uses port 143, it is likely that the encryption method is TLS and SSL for port 993. Nevertheless, you can use PLAIN authentication, but it is stongly discouraged. @@ -19,4 +19,4 @@ Sync jobs are used to copy or move existing emails from an external IMAP server 7. Make sure to tick "Active" and click "Add". !!! info - Once Completed, log into the mailbox and check if all emails are imported correctly. If all goes well, All your mails shall end up in your new mailbox. And don't forget to delete or deactivate the sync job after it is used. \ No newline at end of file + Once Completed, log into the mailbox and check if all emails are imported correctly. If all goes well, all your mails shall end up in your new mailbox. And don't forget to delete or deactivate the sync job after it is used. \ No newline at end of file diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index d30d69eb3..62a333752 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -22,7 +22,7 @@ systemctl start docker.service !!! warning **mailcow requires the latest version of docker-compose.** It is highly recommended to use the commands below to install `docker-compose`. Package managers (e.g. `apt`, `yum`) **likely won't** give you the latest version. _Note: This command downloads docker-compose from the official Docker Github repository and is a safe method. The snippet will determine the latest supported version by mailcow. In almost all cases this is the latest version available (exceptions are broken releases or major changes not yet supported by mailcow)._ - + ``` curl -L https://github.com/docker/compose/releases/download/$(curl -Ls https://www.servercow.de/docker-compose/latest.php)/docker-compose-$(uname -s)-$(uname -m) > /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose @@ -108,7 +108,7 @@ networks: If you do not have an IPv6 enabled network on your host and you don't care for a better internet (thehe), it is recommended to [disable IPv6](https://mailcow.github.io/mailcow-dockerized-docs/firststeps-disable_ipv6/) for the mailcow network to prevent unforeseen issues. -**5\.** Pull the images and run the composer file. The parameter `-d` will start mailcow: dockerized detached: +**5\.** Pull the images and run the compose file. The parameter `-d` will start mailcow: dockerized detached: ``` docker-compose pull docker-compose up -d @@ -118,8 +118,8 @@ Done! You can now access **https://${MAILCOW_HOSTNAME}** with the default credentials `admin` + password `moohoo`. - !!! info - If you are not using mailcow behind a reverse proxy, you should [redirect all HTTP requests to HTTPS](https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/). +!!! info + If you are not using mailcow behind a reverse proxy, you should [redirect all HTTP requests to HTTPS](https://mailcow.github.io/mailcow-dockerized-docs/u_e-80_to_443/). The database will be initialized right after a connection to MySQL can be established. diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index a5f29fdbf..2812cd6d9 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -9,9 +9,9 @@ Below you can find a list of **recommended DNS records**. While some are mandato - An in-depth discussion of SPF, DKIM and DMARC: ["How to eliminate spam and protect your name with DMARC"](https://www.skelleton.net/2015/03/21/how-to-eliminate-spam-and-protect-your-name-with-dmarc/) -## Reverse DNS of your IP +## Reverse DNS of your IP address -Make sure that the PTR record of your IP matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP (server) from. +Make sure that the PTR record of your IP address matches the FQDN of your mailcow host: `${MAILCOW_HOSTNAME}` [^1]. This record is usually set at the provider you leased the IP address (server) from. ## The minimal DNS configuration @@ -31,7 +31,7 @@ autoconfig IN CNAME mail In the example DNS zone file snippet below, a simple **SPF** TXT record is used to only allow THIS server (the MX) to send mail for your domain. Every other server is disallowed but able to ("`~all`"). Please refer to [SPF Project](http://www.open-spf.org/) for further reading. ``` -@ IN TXT "v=spf1 mx a -all" +@ IN TXT "v=spf1 mx -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. @@ -82,4 +82,4 @@ If you are interested in statistics, you can additionally register with the [Pos @ IN TXT "google-site-verification=..." ``` -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From 5404be00dade27f3f760362c12bd1b09f0cda07b Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 14:16:31 -0400 Subject: [PATCH 045/220] Changes to DMARC and Added FQDN header - Removed the Google Postmaster TXT record example - Increased clarity to follow the DMARC statistics guide to deploying, as they may not all utilize TXT files and the process can vary per service or tool. - Increased clarity that other services and tools are available for DMARC statistics than just the listed few - Add a header to FQDN for separation from the DMARC section under Misc. --- docs/prerequisite-dns.md | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index e89fc6393..bc975841f 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -89,21 +89,15 @@ If you are interested in statistics, you can additionally register with some of **NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. + - [Postmaster Tool](https://gmail.com/postmaster) - [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) - [Fraudmarc](https://fraudmarc.com/) - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -The services should provide you with a TXT record, which will give you details about spam-classified mails by your domain. -Using Google Postmaster as an example: - -``` -# Name Type Value - -@ IN TXT "google-site-verification=..." -``` - -However, ensure to read documentation from the service you choose, as this process may vary. +**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +### Fully Qualified Domain Name (FQDN) [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name 'mailcow' and the tld `email`. From 1dafbccff2b3e060e9f296d1d08507e673b90e53 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 24 Oct 2020 21:52:34 +0200 Subject: [PATCH 046/220] Update u_e-dovecot-vmail-volume.md --- docs/u_e-dovecot-vmail-volume.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/u_e-dovecot-vmail-volume.md b/docs/u_e-dovecot-vmail-volume.md index 40a339843..0cf07aa64 100644 --- a/docs/u_e-dovecot-vmail-volume.md +++ b/docs/u_e-dovecot-vmail-volume.md @@ -2,10 +2,12 @@ If you want to use another folder for the vmail-volume, you can create a `docker ``` version: '2.1' -services: - dovecot-mailcow: - volumes: - - /data/mailcow/vmail:/var/vmail +volumes: + vmail-vol-1: + driver_opts: + type: none + device: /data/mailcow/vmail + o: bind ``` ### Moving an existing vmail folder: From f36bf4b6c791206b542d48f0fda3e7a6369f8af7 Mon Sep 17 00:00:00 2001 From: Gravity <18413674+grravity@users.noreply.github.com> Date: Sat, 24 Oct 2020 16:01:15 -0400 Subject: [PATCH 047/220] changed capitalization --- docs/prerequisite-dns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 3b94214b8..95b5a5543 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your Mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -100,4 +100,4 @@ It is worth mentioning, that the following suggestions are not a comprehensive l **NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Fully Qualified Domain Name (FQDN) -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. \ No newline at end of file +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From 64f764d2d583b695f601553d8edf05467011d841 Mon Sep 17 00:00:00 2001 From: Matthew Frost Date: Thu, 29 Oct 2020 10:38:21 +0100 Subject: [PATCH 048/220] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 95b5a5543..596c84d51 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -99,5 +99,32 @@ It is worth mentioning, that the following suggestions are not a comprehensive l **NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +### Email Test for SPF, DKIM and DMARC: + +To test send an email to the email below and wait for a reply: + +check-auth@verifier.port25.com + +You will get a report back that looks like the following: + +``` + +========================================================== +Summary of Results +========================================================== +SPF check: pass +"iprev" check: pass +DKIM check: pass +DKIM check: pass +SpamAssassin check: ham + +========================================================== +Details: +========================================================== +.... +``` +The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + + ### Fully Qualified Domain Name (FQDN) [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From ca2ad569057777a7350837f8476e5eb594e8b24b Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 29 Oct 2020 11:55:49 +0200 Subject: [PATCH 049/220] Update u_e-rspamd.md --- docs/u_e-rspamd.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index 545cd82d6..3aa0125c7 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -128,20 +128,20 @@ reject_message = "My custom reject message"; Save the file and restart Rspamd: `docker-compose restart rspamd-mailcow`. -While the above works for rejected mails with a high spam score, global maps (as found in "Global filter maps" in /admin) will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted: +While the above works for rejected mails with a high spam score, prefilter reject actions will ignore this setting. For these maps, the multimap module in Rspamd needs to be adjusted: -1. Open `{mailcow-dir}/data/conf/rspamd/local.d/multimap.conf` and find the desired map symbol (e.g. `GLOBAL_SMTP_FROM_BL`). +1. Find prefilet reject symbol for which you want change message, to do it run: `grep -R "SYMBOL_YOU_WANT_TO_ADJUST" /opt/mailcow-dockerized/data/conf/rspamd/` 2. Add your custom message as new line: ``` -GLOBAL_SMTP_FROM_BL { - type = "from"; - message = "Your domain is blacklisted, contact postmaster@your.domain to resolve this case.";` - map = "$LOCAL_CONFDIR/custom/global_smtp_from_blacklist.map"; +GLOBAL_RCPT_BL { + type = "rcpt"; + map = "${LOCAL_CONFDIR}/custom/global_rcpt_blacklist.map"; regexp = true; prefilter = true; action = "reject"; + message = "Sending mail to this recipient is prohibited by postmaster@your.domain"; } ``` From a7c7c191add8751df309bf38994b8a67dd60e1c3 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 30 Oct 2020 22:19:31 +0100 Subject: [PATCH 050/220] add quarantine resend debug info --- docs/u_e-rspamd.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index 545cd82d6..c4df30661 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -210,3 +210,15 @@ Restart Rspamd: ```bash docker-compose exec redis-mailcow sh ``` + +## Trigger a resend of quarantine notifications + +Should be used for debugging only! + +``` +docker-compose exec dovecot-mailcow bash +mysql -umailcow -p$DBPASS mailcow -e "update quarantine set notified = 0;" +redis-cli -h redis DEL Q_LAST_NOTIFIED +quarantine_notify.py +``` + From f8b456f3758559f691c06ba44d48d37aa650d8e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 3 Nov 2020 21:34:50 +0100 Subject: [PATCH 051/220] Update u_e-rspamd.md --- docs/u_e-rspamd.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index 1b2a6efd4..bdc4fa461 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -3,12 +3,14 @@ Rspamd is used for AV handling, DKIM signing and SPAM handling. It's a powerful ## Learn Spam & Ham Rspamd learns mail as spam or ham when you move a message in or out of the junk folder to any mailbox besides trash. -This is achieved by using the Dovecot plugin "antispam" and a simple parser script. +This is achieved by using the Sieve plugin "sieve_imapsieve" and parser scripts. -Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning) +Rspamd also auto-learns mail when a high or low score is detected (see https://rspamd.com/doc/configuration/statistic.html#autolearning). We configured the plugin to keep a sane ratio between spam and ham learns. The bayes statistics are written to Redis as keys `BAYES_HAM` and `BAYES_SPAM`. +Besides bayes, a local fuzzy storage is used to learn recurring patterns in text or images that indicate ham or spam. + You can also use Rspamd's web UI to learn ham and / or spam or to adjust certain settings of Rspamd. ### Learn Spam or Ham from existing directory From f1fa9b69aacc7c259ce367a62d25695793293187 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 12 Nov 2020 08:52:02 +0100 Subject: [PATCH 052/220] add info about pw schemes --- docs/model-pws.md | 28 ++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 29 insertions(+) create mode 100644 docs/model-pws.md diff --git a/docs/model-pws.md b/docs/model-pws.md new file mode 100644 index 000000000..78c935e93 --- /dev/null +++ b/docs/model-pws.md @@ -0,0 +1,28 @@ +# Fully supported hashing methods + +The most current mailcow fully supports the following hashing methods. +The default hashing method is written in bold: + +- **BLF-CRYPT** +- SSHA256 +- SSHA512 + +The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. + +## Read-only hashing methods + +The following methods are supported **read only**. + +- MD5-CRYPT +- PLAIN-MD5 +- SHA512-CRYPT + +That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. + +The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. + +--- + +> I changed the password hashes in the "mailbox" SQL table and cannot login. + +A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` diff --git a/mkdocs.yml b/mkdocs.yml index ac539bb05..621031721 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -43,6 +43,7 @@ nav: - 'Models': - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' + - 'Password hashing': 'model-passwd.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' From 08283bab355dd0e41787a51c293c2253899a64f7 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 12 Nov 2020 10:20:00 +0100 Subject: [PATCH 053/220] fix url --- docs/model-passwd.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/model-passwd.md diff --git a/docs/model-passwd.md b/docs/model-passwd.md new file mode 100644 index 000000000..78c935e93 --- /dev/null +++ b/docs/model-passwd.md @@ -0,0 +1,28 @@ +# Fully supported hashing methods + +The most current mailcow fully supports the following hashing methods. +The default hashing method is written in bold: + +- **BLF-CRYPT** +- SSHA256 +- SSHA512 + +The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. + +## Read-only hashing methods + +The following methods are supported **read only**. + +- MD5-CRYPT +- PLAIN-MD5 +- SHA512-CRYPT + +That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. + +The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. + +--- + +> I changed the password hashes in the "mailbox" SQL table and cannot login. + +A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` From 961e93f0f8b2fa1d74feacae04e0862f353f311f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 12 Nov 2020 12:40:52 +0100 Subject: [PATCH 054/220] Update model-passwd.md --- docs/model-passwd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 78c935e93..c06642039 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -1,4 +1,4 @@ -# Fully supported hashing methods +## Fully supported hashing methods The most current mailcow fully supports the following hashing methods. The default hashing method is written in bold: From 58c985de7a9c49117c2186c28eb500fca7c8887b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 12 Nov 2020 13:32:48 +0100 Subject: [PATCH 055/220] Update firststeps-disable_ipv6.md --- docs/firststeps-disable_ipv6.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/firststeps-disable_ipv6.md b/docs/firststeps-disable_ipv6.md index 1f0f86abf..f522d4d05 100644 --- a/docs/firststeps-disable_ipv6.md +++ b/docs/firststeps-disable_ipv6.md @@ -72,6 +72,7 @@ Create `data/conf/postfix/extra.cf` and set `smtp_address_preference` to `ipv4`: ``` smtp_address_preference = ipv4 +inet_protocols = ipv4 ``` Restart Postfix: From 9dacef6c9a52f2b2edef32d70de2eb09135abe53 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 14 Nov 2020 19:18:04 +0100 Subject: [PATCH 056/220] Add info about FIDO2/WebAuthn --- docs/model-fido2.md | 15 +++++++++++++++ mkdocs.yml | 1 + 2 files changed, 16 insertions(+) create mode 100644 docs/model-fido2.md diff --git a/docs/model-fido2.md b/docs/model-fido2.md new file mode 100644 index 000000000..49dc78fb8 --- /dev/null +++ b/docs/model-fido2.md @@ -0,0 +1,15 @@ +## How is UV handled in mailcow? + +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). + +## Login and key processing + +mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. + +A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. + +When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. + +## Who can use WebAuthn to login to mailcow? + +As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. diff --git a/mkdocs.yml b/mkdocs.yml index 621031721..f3d977873 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,6 +44,7 @@ nav: - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' + - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' From e7f6252c560da3c2cfe1e9646f3b75af29db725b Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 14 Nov 2020 19:20:00 +0100 Subject: [PATCH 057/220] Order... --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index f3d977873..39c5483f0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -41,9 +41,9 @@ nav: - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - 'IP bindings': 'firststeps-ip_bindings.md' - 'Models': - - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' + - 'Sender and receiver model': 'model-sender_rcv.md' - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md From 9beceaf2e60791f92b0ef9bf05f404f1c419727e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 14 Nov 2020 19:25:11 +0100 Subject: [PATCH 058/220] Update model-fido2.md --- docs/model-fido2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 49dc78fb8..0aa724510 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). ## Login and key processing From 66dcbf9f6c18a16f69379b17bc5b5d1d6e6ba3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 15 Nov 2020 08:39:05 +0100 Subject: [PATCH 059/220] Update model-fido2.md --- docs/model-fido2.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 0aa724510..2a42d5a66 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). W ## Login and key processing @@ -13,3 +13,11 @@ When calling the login process, the authenticator is not given any credential ID ## Who can use WebAuthn to login to mailcow? As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. + +## iOS problems + +Please use a desktop computer to register your key with your mailcow account. + +The process was tested using a YubiKey with Chrome on Windows. When registering a new, empty key, you will be prompted for a PIN for the new YubiKey. Once set and confirmed, the credentials are stored on the key. Using it with iOS works flawless now. + +iOS seems not to be able to set a PIN on the device on first use, so please use a desktop computer for this step. From 18abadce8d810ad9dbe18500ddbca61d7aa9f893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 16 Nov 2020 08:42:35 +0100 Subject: [PATCH 060/220] Update model-fido2.md --- docs/model-fido2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 2a42d5a66..8b0f58e86 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). W +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). ## Login and key processing From b76206b5150a4fb0b1ac23847ee34a02fbc85941 Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:13:53 +0100 Subject: [PATCH 061/220] added new section "via Docker" to the "make it automatic" section --- docs/u_e-dovecot-expunge.md | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index 2c5f97710..a91eb62bc 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -33,6 +33,8 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai ## Make it automatic +### via the host system cron: + If you want to automate such a task you can create a cron job on your host that calls a script like the one below: ``` @@ -51,3 +53,40 @@ To create a cron job you may execute `crontab -e` and insert something like the # Execute everyday at 04:00 A.M. 0 4 * * * /path/to/your/expunge_mailboxes.sh ``` + +### via Docker (Ofelia) + +If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https://github.com/mcuadros/ofelia) which is a low memory foot print docker job scheduler written in Go. It's quite easy to setup, first of all you need a Ofelia container running on your host (one container works for all other containers). To do so, you can add this to your mailcow docker.override.yml: + +``` + ofelia: + image: mcuadros/ofelia:latest + restart: always + command: daemon --docker + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + network_mode: none +``` + +Ofelia doesn't need any network access, but access to the docker control socket to access the other containers. Once Ofelia is running by either adding it via the docker-compose.override.yml, or you running it otherwise, we can go and add the new job labels to the dovecot-mailcow container. I show here an example where I clean out the trash folder from any mails older then 2 weeks every day at 4 am. + +``` + dovecot-mailcow: + labels: + - "ofelia.enabled=true" + - "ofelia.job-exec.dovecot-expunge-trash.schedule=0 4 * * *" + - "ofelia.job-exec.dovecot-expunge-trash.command=doveadm expunge -A mailbox 'Junk' savedbefore 2w" + - "ofelia.job-exec.dovecot-expunge-trash.tty=false" +``` + +Add those lines to the docker-compose.override.yml of your mailcow or if you modified the dovecot definition already, extend the labels. The first one is clear, turns on Ofelia for this container. Next we have our cron-style time definiton, important here is also that part after ".job-execute." is the individual job name. This is important when you add more jobs to this container. +Those of us who struggle with the cron definitions, i can suggest [crontab guru](https://crontab.guru/) which gives you much more of a gasp on the time string defintion. Next line is the command, which is similar to above to clean out the trash. We don't need to name the container here as that is pointed out by Ofelia by the label already. "tty=false" tells Ofelia we don't need a pseudo-terminal to runs this. + +To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: + +``` +common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, +common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished in "285.032291ms", failed: false, skipped: false, error: none, +``` + +If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. \ No newline at end of file From 17c0c75ca045016c923d1c0187429686f286bf7d Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:55:15 +0100 Subject: [PATCH 062/220] shortend the new section and rewrote it as suggested by @andryyy --- docs/u_e-dovecot-expunge.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index a91eb62bc..ffd7f9782 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -54,11 +54,15 @@ To create a cron job you may execute `crontab -e` and insert something like the 0 4 * * * /path/to/your/expunge_mailboxes.sh ``` -### via Docker (Ofelia) +### via Docker job scheduler -If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https://github.com/mcuadros/ofelia) which is a low memory foot print docker job scheduler written in Go. It's quite easy to setup, first of all you need a Ofelia container running on your host (one container works for all other containers). To do so, you can add this to your mailcow docker.override.yml: +To archive this with a docker job scheduler use this docker-compose.override.yml with your mailcow: ``` +version: '2.1' + + services: + ofelia: image: mcuadros/ofelia:latest restart: always @@ -66,27 +70,24 @@ If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https:// volumes: - /var/run/docker.sock:/var/run/docker.sock:ro network_mode: none -``` -Ofelia doesn't need any network access, but access to the docker control socket to access the other containers. Once Ofelia is running by either adding it via the docker-compose.override.yml, or you running it otherwise, we can go and add the new job labels to the dovecot-mailcow container. I show here an example where I clean out the trash folder from any mails older then 2 weeks every day at 4 am. - -``` dovecot-mailcow: labels: - "ofelia.enabled=true" - "ofelia.job-exec.dovecot-expunge-trash.schedule=0 4 * * *" - "ofelia.job-exec.dovecot-expunge-trash.command=doveadm expunge -A mailbox 'Junk' savedbefore 2w" - "ofelia.job-exec.dovecot-expunge-trash.tty=false" + ``` -Add those lines to the docker-compose.override.yml of your mailcow or if you modified the dovecot definition already, extend the labels. The first one is clear, turns on Ofelia for this container. Next we have our cron-style time definiton, important here is also that part after ".job-execute." is the individual job name. This is important when you add more jobs to this container. -Those of us who struggle with the cron definitions, i can suggest [crontab guru](https://crontab.guru/) which gives you much more of a gasp on the time string defintion. Next line is the command, which is similar to above to clean out the trash. We don't need to name the container here as that is pointed out by Ofelia by the label already. "tty=false" tells Ofelia we don't need a pseudo-terminal to runs this. - -To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: +The job controller just need access to the docker control socket to be able to emulate the behavior of "exec". Then we add a few label to our dovecot-container to activate the job scheduler and tell him in a cron compatible scheduling format when to run. If you struggle with that schedule string you can use [crontab guru](https://crontab.guru/). +This docker-compose.override.yml deletes all mails older then 2 weeks every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: ``` common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished in "285.032291ms", failed: false, skipped: false, error: none, ``` -If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. \ No newline at end of file +If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. + +In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). \ No newline at end of file From df4bba3abde0f2e11987bf249818d44d91e014f8 Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:58:55 +0100 Subject: [PATCH 063/220] made the "Make it" changed I missed earlier --- docs/u_e-dovecot-expunge.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index ffd7f9782..f5db787cd 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -31,7 +31,7 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai !!! info For possible [time spans](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery#section_date_specification) or [search keys](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery#section_search_keys) have a look at [man doveadm-search-query](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery) -## Make it automatic +## Job scheduler ### via the host system cron: From 37ec46ae9ec25d04adfc068bc4418ad9b61cbcbf Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 20:05:20 +0100 Subject: [PATCH 064/220] clearified what gets deleted by the sample docker.override.yml --- docs/u_e-dovecot-expunge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index f5db787cd..d6fc3ac24 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -33,7 +33,7 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai ## Job scheduler -### via the host system cron: +### via the host system cron If you want to automate such a task you can create a cron job on your host that calls a script like the one below: @@ -81,7 +81,7 @@ version: '2.1' ``` The job controller just need access to the docker control socket to be able to emulate the behavior of "exec". Then we add a few label to our dovecot-container to activate the job scheduler and tell him in a cron compatible scheduling format when to run. If you struggle with that schedule string you can use [crontab guru](https://crontab.guru/). -This docker-compose.override.yml deletes all mails older then 2 weeks every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: +This docker-compose.override.yml deletes all mails older then 2 weeks from the "Junk" folder every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: ``` common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, From 107c39f1ef3ab61e2a903ba851f8acfc510e7a55 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 20 Nov 2020 22:46:47 +0100 Subject: [PATCH 065/220] move webauthn/fido2 --- docs/model-pws.md | 28 ---------------------------- docs/u_e-fido2.md | 15 +++++++++++++++ mkdocs.yml | 2 +- 3 files changed, 16 insertions(+), 29 deletions(-) delete mode 100644 docs/model-pws.md create mode 100644 docs/u_e-fido2.md diff --git a/docs/model-pws.md b/docs/model-pws.md deleted file mode 100644 index 78c935e93..000000000 --- a/docs/model-pws.md +++ /dev/null @@ -1,28 +0,0 @@ -# Fully supported hashing methods - -The most current mailcow fully supports the following hashing methods. -The default hashing method is written in bold: - -- **BLF-CRYPT** -- SSHA256 -- SSHA512 - -The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. - -## Read-only hashing methods - -The following methods are supported **read only**. - -- MD5-CRYPT -- PLAIN-MD5 -- SHA512-CRYPT - -That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. - -The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. - ---- - -> I changed the password hashes in the "mailbox" SQL table and cannot login. - -A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` diff --git a/docs/u_e-fido2.md b/docs/u_e-fido2.md new file mode 100644 index 000000000..49dc78fb8 --- /dev/null +++ b/docs/u_e-fido2.md @@ -0,0 +1,15 @@ +## How is UV handled in mailcow? + +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). + +## Login and key processing + +mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. + +A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. + +When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. + +## Who can use WebAuthn to login to mailcow? + +As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. diff --git a/mkdocs.yml b/mkdocs.yml index 39c5483f0..704d0f072 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,7 +44,6 @@ nav: - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' - - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' @@ -70,6 +69,7 @@ nav: - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - 'Tagging': 'u_e-mailcow_ui-tagging.md' - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' From c17b27ddf1a12e59999bc73df5c71c1ba476fbb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 25 Nov 2020 18:39:11 +0100 Subject: [PATCH 066/220] Update u_e-dovecot-vmail-volume.md --- docs/u_e-dovecot-vmail-volume.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/u_e-dovecot-vmail-volume.md b/docs/u_e-dovecot-vmail-volume.md index 0cf07aa64..f5cf4fd2e 100644 --- a/docs/u_e-dovecot-vmail-volume.md +++ b/docs/u_e-dovecot-vmail-volume.md @@ -1,3 +1,20 @@ +## The "new" way + +**WARNING**: Newer Docker versions seem to complain about existing volumes. You can fix this temporarily by removing the existing volume and start mailcow with the override file. But it seems to be problematic after a reboot (needs to be confirmed). + +An easy, dirty, yet stable workaround is to stop mailcow (`docker-compose down`), remove `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data` and create a new link to your remote filesystem location, for example: + +``` +mv /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data_backup +ln -s /mnt/volume-xy/vmail_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data +``` + +Start mailcow afterwards. + +--- + +## The "old" way + If you want to use another folder for the vmail-volume, you can create a `docker-compose.override.yml` file and add the following content: ``` From 2c236ec3d302321bcd96ba22ad404abf39910df0 Mon Sep 17 00:00:00 2001 From: BlackWolf-Design Date: Mon, 30 Nov 2020 10:25:50 +0100 Subject: [PATCH 067/220] Update firststeps-rp.md it looks like the old version no longer works. no more redirection ... changed, tested and redirects now again --- docs/firststeps-rp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 11b266167..c37bc2c01 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -50,7 +50,7 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerAlias autoconfig.* RewriteEngine on - RewriteCond %{HTTPS} !=on + RewriteCond %{HTTPS} off RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L] ProxyPass / http://127.0.0.1:8080/ From b94534b6607794feb47b1d22b781cbda97c01fdb Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Fri, 4 Dec 2020 19:12:18 +0000 Subject: [PATCH 068/220] Update u_e-unbound-fwd.md Amend grammar from "NO NOT USE" to "DO NOT USE" --- docs/u_e-unbound-fwd.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-unbound-fwd.md b/docs/u_e-unbound-fwd.md index b8caaf616..e4a64f612 100644 --- a/docs/u_e-unbound-fwd.md +++ b/docs/u_e-unbound-fwd.md @@ -11,8 +11,8 @@ Edit `data/conf/unbound/unbound.conf` and append the following parameters: ``` forward-zone: name: "." - forward-addr: 8.8.8.8 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE - forward-addr: 8.8.4.4 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE + forward-addr: 8.8.8.8 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE + forward-addr: 8.8.4.4 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE ``` Restart Unbound: From bbe373b298d0ffc1efeefbeeae49dc9776ae99d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 7 Dec 2020 07:53:16 +0100 Subject: [PATCH 069/220] Update model-passwd.md --- docs/model-passwd.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index c06642039..daddcb59d 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -4,6 +4,7 @@ The most current mailcow fully supports the following hashing methods. The default hashing method is written in bold: - **BLF-CRYPT** +- SSHA - SSHA256 - SSHA512 From e270b798488ac22f8c76674068fb9e59ab6864ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 09:32:50 +0100 Subject: [PATCH 070/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 181411600..f378b7487 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -16,16 +16,28 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh Please make sure that your system has at least the following resources: -| Resource | mailcow: dockerized | -| ----------------------- | -------------------------------------------- | -| CPU | 1 GHz | -| RAM                     | Minimum 4 GiB + Swap | -| Disk | 20 GiB (without emails) | -| System Type | x86_64 | +| Resource | mailcow: dockerized | +| ----------------------- | ------------------------------------------------ | +| CPU | 1 GHz | +| RAM                     | **Minimum** 6 GiB + 1 GiB swap (default config) | +| Disk | 20 GiB (without emails) | +| System Type | x86_64 | -As of today (29th Dec 2019), we recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 9/10 and Ubuntu 18.04. +We recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 9/10 and Ubuntu 18.04/20.04. -ClamAV and Solr are greedy RAM munchers. You can disable them in `mailcow.conf` by settings SKIP_CLAMD=y and SKIP_SOLR=y. +ClamAV and Solr can be greedy with RAM. You may disable them in `mailcow.conf` by settings `SKIP_CLAMD=y` and `SKIP_SOLR=y`. + +**Info**: We are aware that a pure MTA can run on 128 MiB RAM. mailcow is a full-grown and ready-to-use groupware with many extras making life easier. mailcow comes with a webserver, webmailer, ActiveSync (MS), antivirus, antispam, indexing (Solr), document scanner (Oletools), SQL (MariaDB), Cache (Redis), MDA, MTA, various web services etc. + +A single SOGo worker **can** acquire ~350 MiB RAM before it gets purged. The more ActiveSync connections you plan to use, the more RAM you will need. A default configuration spawns 20 workers. + +#### Usage examples + +A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GB RAM. + +6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users. + +We can help to correctly plan your setup as part of our support. ## Firewall & Ports From 902f74a8c47822941b28164d092e4d643362bf3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 09:33:34 +0100 Subject: [PATCH 071/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index f378b7487..82c746cbb 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -12,7 +12,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh ## Minimum System Resources -**Do not** use OpenVZ or LXC as guests for mailcow. +**OpenVZ or LXC are not supported**. Please make sure that your system has at least the following resources: From f2fe6862dfa33780092311366ecd3dd4e1f64ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 19:30:35 +0100 Subject: [PATCH 072/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 82c746cbb..842bbd368 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -33,7 +33,7 @@ A single SOGo worker **can** acquire ~350 MiB RAM before it gets purged. The mor #### Usage examples -A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GB RAM. +A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GiB RAM. 6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users. From bd1021ad0a3618180431e17a8dd6b69c72df63dc Mon Sep 17 00:00:00 2001 From: Bojan Bogojevic <20166636+Bojan023@users.noreply.github.com> Date: Wed, 23 Dec 2020 17:37:53 +0100 Subject: [PATCH 073/220] Order DNS records alphabetically and fix capital m original record with capital M: _carddavs._tcp IN SRV 0 1 443 Mail.example.org. --- docs/prerequisite-dns.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 596c84d51..1de6f22b7 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -58,18 +58,21 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ ``` # Name Type Priority Weight Port Value +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN TXT "path=/SOGo/dav/" +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN TXT "path=/SOGo/dav/" _imap._tcp IN SRV 0 1 143 mail.example.org. _imaps._tcp IN SRV 0 1 993 mail.example.org. _pop3._tcp IN SRV 0 1 110 mail.example.org. _pop3s._tcp IN SRV 0 1 995 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. _sieve._tcp IN SRV 0 1 4190 mail.example.org. -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. -_carddavs._tcp IN TXT "path=/SOGo/dav/" -_caldavs._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN TXT "path=/SOGo/dav/" +_smtps._tcp IN SRV 0 1 465 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. + + + ``` ## Testing From b65cd3b8d3ee313efde9e869a684a79147e33a9b Mon Sep 17 00:00:00 2001 From: Mitch Brown Date: Wed, 23 Dec 2020 12:57:09 -0800 Subject: [PATCH 074/220] Update debug-rm_volumes.md Fixed typo --- docs/debug-rm_volumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-rm_volumes.md b/docs/debug-rm_volumes.md index 1e2d78366..fc8cd7b25 100644 --- a/docs/debug-rm_volumes.md +++ b/docs/debug-rm_volumes.md @@ -1,6 +1,6 @@ You may want to remove a set of persistent data to resolve a conflict or to start over. -`mailcowdockerized` can vary and depends on your compose project name (if it's unchanged, `mailcowdockerized` is the correct value). If you are unsure about volume names, run `docker volumes ls` for a full list. +`mailcowdockerized` can vary and depends on your compose project name (if it's unchanged, `mailcowdockerized` is the correct value). If you are unsure about volume names, run `docker volume ls` for a full list. Delete a single volume: From d3895e3744247976e941fa5fe704c54a6a7d2d47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 24 Dec 2020 21:05:03 +0100 Subject: [PATCH 075/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 842bbd368..32230b14a 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -12,7 +12,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh ## Minimum System Resources -**OpenVZ or LXC are not supported**. +**OpenVZ, Virtuozzo and LXC are not supported**. Please make sure that your system has at least the following resources: From 1b92325527dbe233c93d1e3c2c03c3f925f0c74e Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Tue, 5 Jan 2021 23:10:55 +0000 Subject: [PATCH 076/220] Added note regarding piler 1.3.10 --- docs/u_e-mailpiler-integration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/u_e-mailpiler-integration.md b/docs/u_e-mailpiler-integration.md index eaea027dd..c3e4f417b 100644 --- a/docs/u_e-mailpiler-integration.md +++ b/docs/u_e-mailpiler-integration.md @@ -2,6 +2,9 @@ This is a simple integration of mailcow aliases and the mailbox name into mailpi **Disclaimer**: This is not officially maintained nor supported by the mailcow project nor its contributors. No warranty or support is being provided, however you're free to open issues on GitHub for filing a bug or provide further ideas. [GitHub repo can be found here](https://github.com/patschi/mailpiler-mailcow-integration). +!!! info + Support for domain wildcards were implemented in Piler 1.3.10 which was released on 03.01.2021. Prior versions basically do work, but after logging in you won't see emails sent from or to the domain alias. (e.g. when @example.com is an alias for admin@example.com) + ## The problem to solve mailpiler offers the authentication based on IMAP, for example: @@ -30,7 +33,7 @@ Note: File paths might vary depending on your setup. ### Requirements - A working mailcow instance -- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/)) +- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/), [check supported versions here](https://github.com/patschi/mailpiler-mailcow-integration#piler)) - An mailcow API key (read-only works just fine): `Configuration & Details - Access - Read-Only Access`. Don't forget to allow API access from your mailpiler IP. !!! warning From 9a54b266d931b849964a25b8b1b90c8fd9c51f5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 7 Jan 2021 16:44:23 +0100 Subject: [PATCH 077/220] Update firststeps-ip_bindings.md --- docs/firststeps-ip_bindings.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-ip_bindings.md b/docs/firststeps-ip_bindings.md index e04d5bbd6..a10c3af49 100644 --- a/docs/firststeps-ip_bindings.md +++ b/docs/firststeps-ip_bindings.md @@ -8,11 +8,12 @@ To adjust one or multiple IPv4 bindings, open `mailcow.conf` and edit one, multi ``` # For technical reasons, http bindings are a bit different from other service bindings. # You will find the following variables, separated by a bind address and its port: +# Example: HTTP_BIND=1.2.3.4 HTTP_PORT=80 -HTTP_BIND=0.0.0.0 +HTTP_BIND= HTTPS_PORT=443 -HTTPS_BIND=0.0.0.0 +HTTPS_BIND= # Other services are bound by using the following format: # SMTP_PORT=25 equals to SMTP_PORT=0.0.0.0:25 From 141b1fe9e79cb7beac8291a868c6d6ef98347cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 7 Jan 2021 22:20:11 +0100 Subject: [PATCH 078/220] Update u_e-80_to_443.md --- docs/u_e-80_to_443.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-80_to_443.md b/docs/u_e-80_to_443.md index bfd486665..f18159782 100644 --- a/docs/u_e-80_to_443.md +++ b/docs/u_e-80_to_443.md @@ -2,7 +2,7 @@ Since February the 28th 2017 mailcow does come with port 80 and 443 enabled. **Do not use the config below for reverse proxy setups**, please see our reverse proxy guide for this, which includes a redirect from HTTP to HTTPS. -Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set. +Open `mailcow.conf` and set `HTTP_BIND=` - if not already set. Create a new file `data/conf/nginx/redirect.conf` and add the following server config to the file: From 1e5908eae3c0bee896f21875aa256bef7c6d14c0 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 7 Jan 2021 22:22:35 +0100 Subject: [PATCH 079/220] Add 0.0.0.0 note --- docs/firststeps-ip_bindings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-ip_bindings.md b/docs/firststeps-ip_bindings.md index a10c3af49..86a1764fd 100644 --- a/docs/firststeps-ip_bindings.md +++ b/docs/firststeps-ip_bindings.md @@ -16,8 +16,8 @@ HTTPS_PORT=443 HTTPS_BIND= # Other services are bound by using the following format: -# SMTP_PORT=25 equals to SMTP_PORT=0.0.0.0:25 # SMTP_PORT=1.2.3.4:25 will bind SMTP to the IP 1.2.3.4 on port 25 +# Important! Specifying an IPv4 address will skip all IPv6 bindings since Docker 20.x. # doveadm, SQL as well as Solr are bound to local ports only, please do not change that, unless you know what you are doing. SMTP_PORT=25 From fe00ff90e1454e08823ce09011d77ff9bf052eaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 8 Jan 2021 12:37:59 +0100 Subject: [PATCH 080/220] Update u_e-webmail-site.md --- docs/u_e-webmail-site.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-webmail-site.md b/docs/u_e-webmail-site.md index 83b4777a0..31c9e1e65 100644 --- a/docs/u_e-webmail-site.md +++ b/docs/u_e-webmail-site.md @@ -1,4 +1,4 @@ -**Edit**: TODO: This guide only applies to non SNI enabled configurations. The certificate path needs to be adjusted if SNI is enabled. Something like `ssl_certificate,key /etc/ssl/mail/webmail.example.org/cert.pem,key.pem;` will do. **But**: The certificate should be acquired **first** and only after the certificate exists a site config should be created. Nginx will fail to start if it cannot find the certificate and key. +**IMPORTANT**: This guide only applies to non SNI enabled configurations. The certificate path needs to be adjusted if SNI is enabled. Something like `ssl_certificate,key /etc/ssl/mail/webmail.example.org/cert.pem,key.pem;` will do. **But**: The certificate should be acquired **first** and only after the certificate exists a site config should be created. Nginx will fail to start if it cannot find the certificate and key. To create a subdomain `webmail.example.org` and redirect it to SOGo, you need to create a **new** Nginx site. Take care of "CHANGE_TO_MAILCOW_HOSTNAME"! From 3f0d709370ea68f6273432b76a08f07ef5375b10 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 11 Jan 2021 18:59:04 +0300 Subject: [PATCH 081/220] Add postscreen whitelist syntax and examples --- docs/u_e-postfix-postscreen_whitelist.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/docs/u_e-postfix-postscreen_whitelist.md b/docs/u_e-postfix-postscreen_whitelist.md index 2104dfb31..62aea3753 100644 --- a/docs/u_e-postfix-postscreen_whitelist.md +++ b/docs/u_e-postfix-postscreen_whitelist.md @@ -1,3 +1,20 @@ -IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/custom_postscreen_whitelist.cidr`. - -Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups. +IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/custom_postscreen_whitelist.cidr`. + +Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups. + +The format of the file is as follows: + +`CIDR ACTION` + +Where CIDR is a single IP address or IP range in CIDR notation, and action is either "permit" or "reject". + +Example: + +``` +# Rules are evaluated in the order as specified. +# Blacklist 192.168.* except 192.168.0.1. +192.168.0.1 permit +192.168.0.0/16 reject +``` + +The file is reloaded on the fly, postfix restart is not required. \ No newline at end of file From 294220fe8197c6d87b59a6fa3beb409ba1bac7f7 Mon Sep 17 00:00:00 2001 From: Anand Dyavanapalli Date: Tue, 12 Jan 2021 20:41:58 -0500 Subject: [PATCH 082/220] typo: Change `role` to `roll`. --- docs/i_u_m_update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 618aa5361..d20b76676 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -52,7 +52,7 @@ dacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31 Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. -### Can I role back? +### Can I roll back? Yes. From f6e8862ba987778fb94efa5c8abbefa9190db7a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 18 Jan 2021 07:42:52 +0100 Subject: [PATCH 083/220] Update i_u_m_install.md --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 62a333752..ddb7d28f6 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,6 +1,6 @@ !!! warning Make sure you've read ["Prepare Your System"](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-system) before proceeding! - **Do not** use CentOS 8 with Centos 7 Docker packages. You may create an open relay. + **We do not recommend** CentOS 8 anymore. You need Docker and Docker Compose. From 6e45a4b4e80597484f18f4768fb0a386d02c5b6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 18 Jan 2021 07:43:34 +0100 Subject: [PATCH 084/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 32230b14a..4efdd4c4e 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -2,7 +2,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh !!! warning Do **not** try to install mailcow on a Synology/QNAP device (any NAS), OpenVZ, LXC or other container platforms. KVM, ESX, Hyper-V and other full virtualization platforms are supported. - Do **not** use CentOS 8 with Centos 7 Docker packages. You may create an open relay. + We **do not** recommend to use CentOS 8 anymore! !!! info - mailcow: dockerized requires [some ports](#default-ports) to be open for incoming connections, so make sure that your firewall is not blocking these. From 20c3fa5f99c3159921fd211818b7ec5bac37ced8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 24 Jan 2021 09:50:12 +0100 Subject: [PATCH 085/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 47 +++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 4efdd4c4e..252228c2c 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -53,8 +53,6 @@ netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this blog post](https://blog.donnex.net/docker-and-iptables-filtering/) for information about how to use iptables-persistent with the DOCKER-USER chain. As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow. Use the FORWARD chain instead. -** - If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. ### Default Ports @@ -77,6 +75,51 @@ To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT **Important**: You cannot use IP:PORT bindings in HTTP_PORT and HTTPS_PORT. Please use `HTTP_PORT=1234` and `HTTP_BIND=1.2.3.4` instead. +### Important for Hetzner firewalls + +Quoting https://github.com/chermsen via https://github.com/mailcow/mailcow-dockerized/issues/497#issuecomment-469847380 (THANK YOU!): + +For all who are struggling with the Hetzner firewall: + +Port 53 unimportant for the firewall configuration in this case. According to the documentation unbound uses the port range 1024-65535 for outgoing requests. +Since the Hetzner Robot Firewall is a static firewall (each incoming packet is checked isolated) - the following rules must be applied: + +**For TCP** +``` +SRC-IP: --- +DST IP: --- +SRC Port: --- +DST Port: 1024-65535 +Protocol: tcp +TCP flags: ack +Action: Accept +``` + +**For UDP** +``` +SRC-IP: --- +DST IP: --- +SRC Port: --- +DST Port: 1024-65535 +Protocol: udp +Action: Accept +``` + +If you want to apply a more restrictive port range you have to change the config of unbound first (after installation): + +{mailcow-dockerized}/data/conf/unbound/unbound.conf: +``` +outgoing-port-avoid: 0-32767 +``` + +Now the firewall rules can be adjusted as follows: + +``` +[...] +DST Port: 32768-65535 +[...] +``` + ## Date and Time To ensure that you have the correct date and time setup on your system, please check the output of `timedatectl status`: From a2f749806a8a6617a05557c1c999224162b9a3ee Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 21:52:25 +0200 Subject: [PATCH 086/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index aead9520b..62b6f5c36 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -1,10 +1,41 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its [own documentation](http://wiki.sogo.nu/). -## Change Theme -As of December 21 2018 we removed our custom themes due to complains about missing colors in some address book and calendar sections. Some other problems were still existing and would not be fixed in the near future (switching colors on login screen, for example). +## Change theme +mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. +Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) and [Configuring a theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation to get more details on how this works. +After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. -## Change Logo +## Reset to SOGo default theme +Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` +Find in `data/conf/sogo/custom-theme.js`: +``` +// Apply new palettes to the default theme, remap some of the hues + $mdThemingProvider.theme('default') + .primaryPalette('green-cow', { + 'default': '400', // background color of top toolbars + 'hue-1': '400', + 'hue-2': '600', // background color of sidebar toolbar + 'hue-3': 'A700' + }) + .accentPalette('green', { + 'default': '600', // background color of fab buttons + 'hue-1': '300', // background color of center list toolbar + 'hue-2': '300', + 'hue-3': 'A700' + }) + .backgroundPalette('frost-grey'); +``` +and replace with: +``` + $mdThemingProvider.theme('default'); +``` + +## Change favicon +mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. +After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. + +## Change logo mailcow builds after 21 December 2018 can change SOGo's logo by replacing `data/conf/sogo/sogo-full.svg`. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. @@ -34,5 +65,5 @@ Restart SOGo: `docker-compose restart sogo-mailcow` Edit `data/conf/sogo/sogo.conf` and **change** `SOGoPasswordChangeEnabled` to `NO`. Please do not add a new parameter. -Run `docker-compose restart sogo-mailcow memcached-mailcow` to activate the changes. +Run `docker-compose restart memcached-mailcow sogo-mailcow` to activate the changes. From e57e0439b56768b81dc0bb184544cdfd5a463862 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 22:37:43 +0200 Subject: [PATCH 087/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 62b6f5c36..593638629 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -33,6 +33,7 @@ and replace with: ## Change favicon mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. +To note: you can use `.png` favicons, renaming them `custom-favicon.ico` will works, but please use standard `.ico` dimensions, e.g: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo From e93aa3176897193c4440778e8936b5dbed6a5c31 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 22:40:31 +0200 Subject: [PATCH 088/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 593638629..7e39ecd71 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -3,7 +3,7 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your ## Change theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) and [Configuring a theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation to get more details on how this works. +Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) & [Configuring theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation with [Material Style Color](https://material.io/archive/guidelines/style/color.html#color-color-palette) page to learn how this works. After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme From 5eb6e7620b32fbce89eda95bdf69634249b8367a Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 23:57:00 +0200 Subject: [PATCH 089/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 7e39ecd71..454d07653 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -32,8 +32,9 @@ and replace with: ``` ## Change favicon -mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. -To note: you can use `.png` favicons, renaming them `custom-favicon.ico` will works, but please use standard `.ico` dimensions, e.g: 16x16, 32x32, 64x64, 128x128 and 256x256. +mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. +To note: you can use `.png` favicons for SOGo, by renaming them to `custom-favicon.ico`. +For both SOGo and mailcow UI faviconsyou need use one of standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo From f91dccc74b68e65fc7030872afb0d86a63c60c38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 31 Jan 2021 09:50:06 +0100 Subject: [PATCH 090/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 454d07653..38a79c871 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -3,7 +3,7 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your ## Change theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) & [Configuring theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation with [Material Style Color](https://material.io/archive/guidelines/style/color.html#color-color-palette) page to learn how this works. +Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme From 7a6bd9b249af70ea0dc2c6fc80d103f14bfa42b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 31 Jan 2021 09:54:45 +0100 Subject: [PATCH 091/220] Update u_e-sogo.md --- docs/u_e-sogo.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 38a79c871..909e10918 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -32,13 +32,13 @@ and replace with: ``` ## Change favicon -mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. -To note: you can use `.png` favicons for SOGo, by renaming them to `custom-favicon.ico`. -For both SOGo and mailcow UI faviconsyou need use one of standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. +mailcow builds after 31 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. +**Note**: You can use `.png` favicons for SOGo by renaming them to `custom-favicon.ico`. +For both SOGo and mailcow UI favicons you need use one of the standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo -mailcow builds after 21 December 2018 can change SOGo's logo by replacing `data/conf/sogo/sogo-full.svg`. +mailcow builds after 21 December 2018 can change SOGo's logo by replacing or creating (if missing) `data/conf/sogo/sogo-full.svg`. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Connect domains From 612177cb374025f6b4810a630d0b2885b5f66d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 1 Feb 2021 08:03:20 +0100 Subject: [PATCH 092/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 252228c2c..c70415166 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -50,7 +50,7 @@ netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' ``` !!! warning - There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this blog post](https://blog.donnex.net/docker-and-iptables-filtering/) for information about how to use iptables-persistent with the DOCKER-USER chain. + There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this (blog.donnex.net)](https://blog.donnex.net/docker-and-iptables-filtering/) or [this (unrouted.io)](https://unrouted.io/2017/08/15/docker-firewall/) guide for information about how to use iptables-persistent with the DOCKER-USER chain. As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow. Use the FORWARD chain instead. If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. From c8d1efea25abba0599a61b416fd318a81fbe5ec6 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 7 Feb 2021 15:25:23 +0100 Subject: [PATCH 093/220] Internal subnet Adding the internal subnet to the nc configuration. Helped to access the nc instance via my revers proxy. It was accesible from outside, just not from inside. --- docs/third_party-nextcloud.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index c6466b7de..2173bcdd5 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -75,3 +75,31 @@ If you have previously used Nextcloud without mailcow authentication, but with t ``` INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT("Mailcow-", uid) FROM nc_users; ``` + +--- + +## Update + +The Nextcloud instance can be updated easily with the web update mechanism. In the case of larger updates, there may be further changes to be made after the update. After the Nextcloud instance has been checked, problems are shown. This can be e.g. missing indices in the DB or similar. +It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. + +As an an example run the following command to add the missing indices. +`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php / web / nextcloud / occ db: add-missing-indices"` + +--- + +## Debugging & Troubleshooting + +It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in data/web/nextcloud/config/*. + +``` +'trusted_proxies' => + array ( + 0 => 'fd4d:6169:6c63:6f77::/64', + 1 => '172.22.1.0/24', + 2 => 'NewSubnet/24', + ), +``` + +After the changes have been made, the nginx container must be restarted. +`docker-compose restart nginx-mailcow` From 87e6f4b89fb4a667aee9dddcf1f17b2e83df0c0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 7 Feb 2021 20:13:55 +0100 Subject: [PATCH 094/220] Update third_party-nextcloud.md --- docs/third_party-nextcloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 2173bcdd5..388464be8 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -84,13 +84,13 @@ The Nextcloud instance can be updated easily with the web update mechanism. In t It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. As an an example run the following command to add the missing indices. -`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php / web / nextcloud / occ db: add-missing-indices"` +`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db: add-missing-indices"` --- ## Debugging & Troubleshooting -It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in data/web/nextcloud/config/*. +It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in `data/web/nextcloud/config/*`. ``` 'trusted_proxies' => From ddcb55f3ccd2d7509ce75ce24aefceb4ce4e7342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 7 Feb 2021 20:14:57 +0100 Subject: [PATCH 095/220] Update third_party-nextcloud.md Remove more spaces --- docs/third_party-nextcloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 388464be8..31153440c 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -84,7 +84,7 @@ The Nextcloud instance can be updated easily with the web update mechanism. In t It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. As an an example run the following command to add the missing indices. -`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db: add-missing-indices"` +`docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db:add-missing-indices"` --- From 637ccfe5f4d5f7cd3a8c8ed0e0f2f63c068fdb29 Mon Sep 17 00:00:00 2001 From: guiguir68 <46498821+guiguir68@users.noreply.github.com> Date: Mon, 8 Feb 2021 00:48:59 +0100 Subject: [PATCH 096/220] Updated copyright year and HNY! --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 704d0f072..55f8d40e2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,6 +1,6 @@ site_name: 'mailcow: dockerized documentation' site_url: https://mailcow.github.io/mailcow-dockerized-docs/ -copyright: 'Copyright © 2020 André Peters' +copyright: 'Copyright © 2021 André Peters' repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ From f41a9f75d8c71fb683c2c1644a6c43377cc678ec Mon Sep 17 00:00:00 2001 From: Rijul-Ahuja <31570722+Rijul-Ahuja@users.noreply.github.com> Date: Mon, 8 Feb 2021 06:32:36 +0000 Subject: [PATCH 097/220] Remove superfluous space character from override Remove the extra space character at the start of the services line in the ofelia docker-compose.override.yml --- docs/u_e-dovecot-expunge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index d6fc3ac24..5c1d3cedc 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -61,7 +61,7 @@ To archive this with a docker job scheduler use this docker-compose.override.yml ``` version: '2.1' - services: +services: ofelia: image: mcuadros/ofelia:latest @@ -90,4 +90,4 @@ common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished i If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. -In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). \ No newline at end of file +In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). From 9890ae082c6770643cd3fe845e1c5bd078e1d087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 10 Feb 2021 09:36:39 +0100 Subject: [PATCH 098/220] Update third_party-portainer.md --- docs/third_party-portainer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-portainer.md b/docs/third_party-portainer.md index c3f4270d6..deebe9d79 100644 --- a/docs/third_party-portainer.md +++ b/docs/third_party-portainer.md @@ -5,7 +5,7 @@ In order to enable Portainer, the docker-compose.yml and site.conf for Nginx mus version: '2.1' services: portainer-mailcow: - image: portainer/portainer + image: portainer/portainer-ce volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data/conf/portainer:/data From 558d92bc0d686843bf123d9e53f9d97c2964707e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:48:42 +0100 Subject: [PATCH 099/220] Update model-passwd.md --- docs/model-passwd.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index daddcb59d..3c15dd205 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -14,9 +14,27 @@ The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. The following methods are supported **read only**. +- ARGON2I +- ARGON2ID +- CLEAR +- CLEARTEXT +- CRYPT +- DES-CRYPT +- LDAP-MD5 +- MD5 - MD5-CRYPT +- PBKDF2 +- PLAIN +- PLAIN-MD4 - PLAIN-MD5 +- PLAIN-TRUNC +- SHA +- SHA1 +- SHA256 +- SHA256-CRYPT +- SHA512 - SHA512-CRYPT +- SMD5 That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. From c774f70998fb50ace964599a844dd86ff0242721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:56:11 +0100 Subject: [PATCH 100/220] Update model-passwd.md --- docs/model-passwd.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 3c15dd205..05b710ac2 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -12,29 +12,31 @@ The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. ## Read-only hashing methods -The following methods are supported **read only**. +The following methods are supported **read only**. +If you plan to use SOGo (as per default), you need a SOGo compatible hashing method. Please see the note at the bottom of this page how to update the view if necessary. +With SOGo disabled, all hashing methods below will be able to be read by mailcow and Dovecot. -- ARGON2I -- ARGON2ID +- ARGON2I (SOGo compatible) +- ARGON2ID (SOGo compatible) - CLEAR - CLEARTEXT -- CRYPT +- CRYPT (SOGo compatible) - DES-CRYPT -- LDAP-MD5 -- MD5 -- MD5-CRYPT -- PBKDF2 -- PLAIN +- LDAP-MD5 (SOGo compatible) +- MD5 (SOGo compatible) +- MD5-CRYPT (SOGo compatible) +- PBKDF2 (SOGo compatible) +- PLAIN (SOGo compatible) - PLAIN-MD4 - PLAIN-MD5 - PLAIN-TRUNC -- SHA -- SHA1 -- SHA256 -- SHA256-CRYPT -- SHA512 -- SHA512-CRYPT -- SMD5 +- SHA (SOGo compatible) +- SHA1 (SOGo compatible) +- SHA256 (SOGo compatible) +- SHA256-CRYPT (SOGo compatible) +- SHA512 (SOGo compatible) +- SHA512-CRYPT (SOGo compatible) +- SMD5 (SOGo compatible) That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. From cf7677ac19c47a5aa65abcfd45dcbb2e3efebe86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:57:01 +0100 Subject: [PATCH 101/220] Update model-passwd.md --- docs/model-passwd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 05b710ac2..3e74ac6d5 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -38,7 +38,7 @@ With SOGo disabled, all hashing methods below will be able to be read by mailcow - SHA512-CRYPT (SOGo compatible) - SMD5 (SOGo compatible) -That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. +That means mailcow is able to verify users with a hash like `{MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. From 727e841bee81deb9e7a04b3ffbf9ddcdef43e67d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 11:23:12 +0100 Subject: [PATCH 102/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index c70415166..ecf6dbf96 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -59,17 +59,19 @@ If this command returns any results please remove or stop the application runnin If you have a firewall in front of mailcow, please make sure that these ports are open for incoming connections: -| Service | Protocol | Port | Container | Variable | -| --------------------|:--------:|:-------|:----------------|----------------------------------| -| Postfix SMTP | TCP | 25 | postfix-mailcow | `${SMTP_PORT}` | -| Postfix SMTPS | TCP | 465 | postfix-mailcow | `${SMTPS_PORT}` | -| Postfix Submission | TCP | 587 | postfix-mailcow | `${SUBMISSION_PORT}` | -| Dovecot IMAP | TCP | 143 | dovecot-mailcow | `${IMAP_PORT}` | -| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | `${IMAPS_PORT}` | -| Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | -| Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | -| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | -| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | +| Service | Protocol | Port | Container | Variable | +| --------------------|:--------:|:-------|:------------------|----------------------------------| +| Postfix SMTP | TCP | 25 | postfix-mailcow | `${SMTP_PORT}` | +| Postfix SMTPS | TCP | 465 | postfix-mailcow | `${SMTPS_PORT}` | +| Postfix Submission | TCP | 587 | postfix-mailcow | `${SUBMISSION_PORT}` | +| Dovecot IMAP | TCP | 143 | dovecot-mailcow | `${IMAP_PORT}` | +| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | `${IMAPS_PORT}` | +| Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | +| Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | +| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | +| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | +| XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | +| XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` From 897832db13a4f62dedbdcf8b94593782af22c901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 11:23:49 +0100 Subject: [PATCH 103/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index ecf6dbf96..9cefa6697 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -44,9 +44,9 @@ We can help to correctly plan your setup as part of our support. Please check if any of mailcow's standard ports are open and not in use by other applications: ``` -ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' +ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' # or: -netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' +netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' ``` !!! warning From af053eb146f81ee58392147f37b5f00d4a2a7678 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 12:29:55 +0100 Subject: [PATCH 104/220] Update firststeps-rp.md --- docs/firststeps-rp.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index c37bc2c01..3574c2767 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -43,11 +43,13 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work **Take care of highlighted lines.** -``` apache hl_lines="2 10 11 17 22 23 24 25 30 31" +``` apache hl_lines="2 5 6 12 13 19 22 23 26 27 28 29 34 35" ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* + ServerAlias xmpp_prefix_if_any.domain + ServerAlias *.xmpp_prefix_if_any.domain RewriteEngine on RewriteCond %{HTTPS} off @@ -63,6 +65,8 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* + ServerAlias xmpp_prefix_if_any.domain + ServerAlias *.xmpp_prefix_if_any.domain # You should proxy to a plain HTTP session to offload SSL processing ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000 @@ -97,13 +101,13 @@ Let's Encrypt will follow our rewrite, certificate requests will work fine. server { listen 80 default_server; listen [::]:80 default_server; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem; ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem; From a68fc8d0b88c2df46ec2e2c8c3efc6fd7a18d912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 15:45:35 +0100 Subject: [PATCH 105/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 9cefa6697..933440d5a 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -72,6 +72,7 @@ If you have a firewall in front of mailcow, please make sure that these ports ar | HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | | XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | | XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | +| XMPP (upload) | TCP | 5443 | ejabberd-mailcow | `${XMPP_HTTPS_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` From fa46f74de19c36fc105f07d06c23ce215a018cf3 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 13 Feb 2021 21:38:03 +0100 Subject: [PATCH 106/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 933440d5a..8ece0257c 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -44,9 +44,9 @@ We can help to correctly plan your setup as part of our support. Please check if any of mailcow's standard ports are open and not in use by other applications: ``` -ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' +ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269|5443' # or: -netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' +netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269|5443' ``` !!! warning From 2c4b66814c8227ee6aaa24fff30cdb20cbb0ab92 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 18:01:51 +0100 Subject: [PATCH 107/220] [WIP] XMPP --- ...prem.md => third_party-exchange_onprem.md} | 0 ...d => third_party-mailpiler_integration.md} | 0 docs/u_e-xmpp-autoconfig.md | 1 + docs/u_e-xmpp-certs.md | 1 + docs/u_e-xmpp-enable.md | 1 + mkdocs.yml | 125 +++++++++--------- 6 files changed, 68 insertions(+), 60 deletions(-) rename docs/{u_e-exchange-onprem.md => third_party-exchange_onprem.md} (100%) rename docs/{u_e-mailpiler-integration.md => third_party-mailpiler_integration.md} (100%) create mode 100644 docs/u_e-xmpp-autoconfig.md create mode 100644 docs/u_e-xmpp-certs.md create mode 100644 docs/u_e-xmpp-enable.md diff --git a/docs/u_e-exchange-onprem.md b/docs/third_party-exchange_onprem.md similarity index 100% rename from docs/u_e-exchange-onprem.md rename to docs/third_party-exchange_onprem.md diff --git a/docs/u_e-mailpiler-integration.md b/docs/third_party-mailpiler_integration.md similarity index 100% rename from docs/u_e-mailpiler-integration.md rename to docs/third_party-mailpiler_integration.md diff --git a/docs/u_e-xmpp-autoconfig.md b/docs/u_e-xmpp-autoconfig.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-autoconfig.md @@ -0,0 +1 @@ +# TODO diff --git a/docs/u_e-xmpp-certs.md b/docs/u_e-xmpp-certs.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-certs.md @@ -0,0 +1 @@ +# TODO diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-enable.md @@ -0,0 +1 @@ +# TODO diff --git a/mkdocs.yml b/mkdocs.yml index 55f8d40e2..fb3da08a4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,90 +28,93 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' -- 'First Steps (optional)': - - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' +- 'Post-Installation tasks (optional)': - 'Advanced SSL': 'firststeps-ssl.md' - - 'Rspamd UI': 'firststeps-rspamd_ui.md' - - 'Reverse Proxy': 'firststeps-rp.md' - - 'SNAT': 'firststeps-snat.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' - - 'Relayhosts': 'firststeps-relayhost.md' - - 'Logging': 'firststeps-logging.md' - - 'Local MTA on Docker host': 'firststeps-local_mta.md' - - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - 'IP bindings': 'firststeps-ip_bindings.md' + - 'Local MTA on Docker host': 'firststeps-local_mta.md' + - 'Logging': 'firststeps-logging.md' + - 'Relayhosts': 'firststeps-relayhost.md' + - 'Reverse Proxy': 'firststeps-rp.md' + - 'Rspamd UI': 'firststeps-rspamd_ui.md' + - 'SNAT': 'firststeps-snat.md' + - 'Sync job migration': 'firststeps-sync_jobs_migration.md' + - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' -- 'Debugging & Troubleshooting': - - 'Introduction': debug.md - - 'Logs': 'debug-logs.md' - - 'Attach a Container': 'debug-attach_service.md' - - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' - - 'Remove Persistent Data': 'debug-rm_volumes.md' - - 'Common Problems': 'debug-common_problems.md' - - 'Admin login to SOGo': 'debug-admin_login_sogo.md' +- 'General Troubleshooting': + - 'Introduction': debug.md + - 'Logs': 'debug-logs.md' + - 'Attach a Container': 'debug-attach_service.md' + - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' + - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' + - 'Remove Persistent Data': 'debug-rm_volumes.md' + - 'Common Problems': 'debug-common_problems.md' + - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - 'Backup & Restore': - 'Helper script': - - 'Backup': 'b_n_r_backup.md' - - 'Restore': 'b_n_r_restore.md' + - 'Backup': 'b_n_r_backup.md' + - 'Restore': 'b_n_r_restore.md' - 'Manually': - - 'Maildir': 'u_e-backup_restore-maildir.md' - - 'MySQL': 'u_e-backup_restore-mysql.md' -- 'Usage & Examples': + - 'Maildir': 'u_e-backup_restore-maildir.md' + - 'MySQL': 'u_e-backup_restore-mysql.md' +- 'Manual/Guides/Examples': - 'mailcow UI': - - 'Configuration': 'u_e-mailcow_ui-config.md' - - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - - 'Pushover': 'u_e-mailcow_ui-pushover.md' - - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' - - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - - 'Tagging': 'u_e-mailcow_ui-tagging.md' - - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - - 'WebAuthn / FIDO2': 'u_e-fido2.md' + - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' + - 'Pushover': 'u_e-mailcow_ui-pushover.md' + - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' + - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' + - 'Tagging': 'u_e-mailcow_ui-tagging.md' + - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' - - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' - - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' + - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' + - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' + - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' + - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' - 'Unbound': - - 'Using an external DNS service': 'u_e-unbound-fwd.md' + - 'Using an external DNS service': 'u_e-unbound-fwd.md' - 'Dovecot': - - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - - 'FTS (Solr)': 'u_e-dovecot-fts.md' - - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' - - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' - - 'Move vmail volume': 'u_e-dovecot-vmail-volume.md' - - 'Public folders': 'u_e-dovecot-public_folder.md' - - 'Static master user': 'u_e-dovecot-static_master.md' + - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' + - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' + - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' + - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' + - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' + - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' + - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' + - 'Public folders': 'u_e-dovecot-public_folder.md' + - 'Static master user': 'u_e-dovecot-static_master.md' - 'Nginx': - - 'Custom sites': 'u_e-nginx.md' - - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' + - 'Custom sites': 'u_e-nginx.md' + - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' + - 'XMPP': + - 'Enable XMPP': 'u_e-xmpp-enable.md' + - 'Certificates': 'u_e-xmpp-certs.md' + - 'Autoconfig': 'u_e-xmpp-autoconfig.md' - 'Docker': - - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' + - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' + - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - 'Adjust Service Configurations': 'u_e-change_config.md' - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - - 'Mailpiler Integration': 'u_e-mailpiler-integration.md' - - 'Exchange Hybrid Setup': 'u_e-exchange-onprem.md' - 'Client Configuration': - 'Overview': 'client.md' - 'Android': 'client/client-android.md' - 'Apple macOS / iOS': 'client/client-apple.md' - 'eM Client': 'client/client-emclient.md' + - 'Gajim XMPP client': 'client/client-gajim_xmpp_client.md' - 'KDE Kontact': 'client/client-kontact.md' - 'Microsoft Outlook': 'client/client-outlook.md' - 'Mozilla Thunderbird': 'client/client-thunderbird.md' @@ -119,12 +122,14 @@ nav: - 'Windows Phone': 'client/client-windowsphone.md' - 'Manual configuration': 'client/client-manual.md' - 'Third party apps': - - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' - - 'Roundcube': 'third_party-roundcube.md' - - 'Portainer': 'third_party-portainer.md' - - 'Gogs': 'third_party-gogs.md' + - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' + - 'Gogs': 'third_party-gogs.md' + - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - 'Nextcloud': 'third_party-nextcloud.md' + - 'Portainer': 'third_party-portainer.md' + - 'Roundcube': 'third_party-roundcube.md' + - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: logo: 'images/logo.svg' extra: @@ -133,8 +138,8 @@ extra: accent: 'orange' social: - icon: fontawesome/solid/globe-americas - link: https://mailcow.email + link: https://mailcow.email - icon: fontawesome/brands/github-alt - link: https://github.com/mailcow + link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] From 960a66944a9f5adfd85f316dd74a779f107a5dd7 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 20:39:15 +0100 Subject: [PATCH 108/220] Fix build --- mkdocs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index fb3da08a4..b05d837ac 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,8 +138,8 @@ extra: accent: 'orange' social: - icon: fontawesome/solid/globe-americas - link: https://mailcow.email + link: https://mailcow.email - icon: fontawesome/brands/github-alt - link: https://github.com/mailcow + link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] From b8bf1b54cdb358aebf457d93a77ce13c4d415a00 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 20:50:08 +0100 Subject: [PATCH 109/220] Fix sidebar width --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index b05d837ac..32c8ceebc 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,7 +28,7 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' -- 'Post-Installation tasks (optional)': +- 'Post Installation Tasks': - 'Advanced SSL': 'firststeps-ssl.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' - 'IP bindings': 'firststeps-ip_bindings.md' From f53af816ffc1bb9650041c2ff89d5fdcf34cd401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 15 Feb 2021 21:01:34 +0100 Subject: [PATCH 110/220] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 1de6f22b7..0d198c428 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -23,10 +23,9 @@ This example shows you a set of records for one domain managed by mailcow. Each ``` # Name Type Value mail IN A 1.2.3.4 -autodiscover IN CNAME mail -autoconfig IN CNAME mail - -@ IN MX 10 mail +autodiscover IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +autoconfig IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +@ IN MX 10 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` ## DKIM, SPF and DMARC @@ -35,7 +34,7 @@ In the example DNS zone file snippet below, a simple **SPF** TXT record is used ``` # Name Type Value -@ IN TXT "v=spf1 mx -all" +@ IN TXT "v=spf1 mx a -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. @@ -58,21 +57,18 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ ``` # Name Type Priority Weight Port Value -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN TXT "path=/SOGo/dav/" -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. (your ${MAILCOW_HOSTNAME}) _carddavs._tcp IN TXT "path=/SOGo/dav/" -_imap._tcp IN SRV 0 1 143 mail.example.org. -_imaps._tcp IN SRV 0 1 993 mail.example.org. -_pop3._tcp IN SRV 0 1 110 mail.example.org. -_pop3s._tcp IN SRV 0 1 995 mail.example.org. -_sieve._tcp IN SRV 0 1 4190 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. - - - +_imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_pop3._tcp IN SRV 0 1 110 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_pop3s._tcp IN SRV 0 1 995 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_sieve._tcp IN SRV 0 1 4190 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_smtps._tcp IN SRV 0 1 465 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_submission._tcp IN SRV 0 1 587 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` ## Testing From 30929db73a72041a73f07a1e6d7faae9837d239a Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 15 Feb 2021 21:29:45 +0100 Subject: [PATCH 111/220] Add XMPP --- docs/client/client-gajim_xmpp_client.md | 1 + docs/u_e-xmpp-autoconfig.md | 1 - docs/u_e-xmpp-certs.md | 1 - docs/u_e-xmpp-enable.md | 86 ++++++++++++++++++++++++- mkdocs.yml | 2 - 5 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 docs/client/client-gajim_xmpp_client.md delete mode 100644 docs/u_e-xmpp-autoconfig.md delete mode 100644 docs/u_e-xmpp-certs.md diff --git a/docs/client/client-gajim_xmpp_client.md b/docs/client/client-gajim_xmpp_client.md new file mode 100644 index 000000000..85e6ff194 --- /dev/null +++ b/docs/client/client-gajim_xmpp_client.md @@ -0,0 +1 @@ +# WIP diff --git a/docs/u_e-xmpp-autoconfig.md b/docs/u_e-xmpp-autoconfig.md deleted file mode 100644 index 464090415..000000000 --- a/docs/u_e-xmpp-autoconfig.md +++ /dev/null @@ -1 +0,0 @@ -# TODO diff --git a/docs/u_e-xmpp-certs.md b/docs/u_e-xmpp-certs.md deleted file mode 100644 index 464090415..000000000 --- a/docs/u_e-xmpp-certs.md +++ /dev/null @@ -1 +0,0 @@ -# TODO diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 464090415..34bc3255a 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -1 +1,85 @@ -# TODO +XMPP is provided by ejabberd, which describes itself as robust, scalable and extensible XMPP Server. + +So first of all, thanks to ejabberd and its contributers! + +## Enable XMPP in mailcow + +To enable XMPP for a domain, you need to edit the given domain in mailcow UI: + +![Screen1](https://i.imgur.com/oLyHBke.png) + +The chosen prefix will be your XMPP domain for all XMPP-enabled users in mailcow, for example: + +- Mailbox cowboy@develcow.de will equal to Jabber ID cowboy@**xmpp_prefix**.develcow.de + +**The passwords for mail and XMPP are the same.** + +Before enabling XMPP for a domain, you should create two CNAME records in DNS: + +``` +# CNAMES +# Name Type Value +xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +*.xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +``` + +These two CNAMEs are essential for acquiring a certificate. Please **do not** add "xmpp_prefix.domain.tld" as name to `ADDITIONAL_SAN`. + +Make sure your CNAMEs are correct. Enable XMPP for your domain now. + +If you enabled XMPP first and then added your DNS records there is no need to worry. You will just need to wait for ejabberd to automatically acquire the certificates or +simply restart ejabberd-mailcow to trigger the process immediately: `docker-compose restart ejabberd-mailcow`. + +Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI where you will find two more SRV records: + +![Screen2](https://i.imgur.com/IxlUZ7y.png) + +``` +# SRV records +# Name Type Priority Weight Port Value +_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) +``` + +There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. + +## ACL + +A domain administrator can be given the right to toggle XMPP access for domains and mailboxes, promoting users to XMPP administrators (WIP) and to change the prefix: + +![Screen3](https://i.imgur.com/OxKuDFU.png) + +## Verify certificates + +Once everything is setup, make sure ejabberd was able to acquire certificates: + +If you see a message similar to... + +``` +ejabberd-mailcow_1 | 2021-02-13 14:40:19.507956+01:00 [error] Failed to request certificate for im.example.org, pubsub.im.example.org and 3 more hosts: Challenge failed for domain conference.im.example.org: ACME server reported: DNS problem: NXDOMAIN looking up A for conference.im.example.org - check that a DNS record exists for this domain (error type: dns) +``` + +...you may need to recheck your DNS configuration or restart ejabberd-mailcow to restart the process in case of slow DNS propagation. + +Opening `https://xmpp_prefix.domain.tld:5443/upload` should point you to a 404 page with a valid certificate. + +## Why can't we use no prefix? + +It does not matter which server name we point our SRV to, Jabber will always rely on the domain given in a JID. We would need to acquire a certificate for the SLD `domain.tld`, which hardly anyone wants to point to its mail system. + +We are sorry for this circumstance. As soon as we implemented Servercows DNS API, this may be reconsidered. + +## My reverse proxy does not work anymore + +If your reverse proxy is configured to point to a site like `webmail.domain.tld` **which mailcow is not aware of** (as in MAILCOW_HOSTNAME does **not** match `webmail.domain.tld`), you may now be redirected to the default ejabberd Nginx site. + +That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. + +In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): + +``` +proxy_set_header Host MAILCOW_HOSTNAME; +# Instead of proxy_set_header Host $http_host; +``` + +Now you can use whatever name you like, as long mailcow receives a known "Host" header. diff --git a/mkdocs.yml b/mkdocs.yml index 32c8ceebc..fe0cb444b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -98,8 +98,6 @@ nav: - 'SOGo': 'u_e-sogo.md' - 'XMPP': - 'Enable XMPP': 'u_e-xmpp-enable.md' - - 'Certificates': 'u_e-xmpp-certs.md' - - 'Autoconfig': 'u_e-xmpp-autoconfig.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From 0465031e0da268c4b55baa8cf0566da44f9038c2 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 15 Feb 2021 21:49:51 +0100 Subject: [PATCH 112/220] Some changes --- docs/u_e-xmpp-enable.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 34bc3255a..1cc73ed78 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -8,11 +8,12 @@ To enable XMPP for a domain, you need to edit the given domain in mailcow UI: ![Screen1](https://i.imgur.com/oLyHBke.png) -The chosen prefix will be your XMPP domain for all XMPP-enabled users in mailcow, for example: +The chosen prefix will be used to derive your XMPP login. -- Mailbox cowboy@develcow.de will equal to Jabber ID cowboy@**xmpp_prefix**.develcow.de +A prefix **xmpp_prefix** for the mailbox user `cowboy@develcow.de` would equal to the JID `cowboy@xmpp_prefix.develcow.de`. -**The passwords for mail and XMPP are the same.** +!!! info + The login passwords for mail and XMPP are the same. XMPP users are authenticated against mailcow. Before enabling XMPP for a domain, you should create two CNAME records in DNS: @@ -36,9 +37,9 @@ Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI ``` # SRV records -# Name Type Priority Weight Port Value -_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) -_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) +# Name Type Value +_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. From bd4a1e23c78ac87607b0259163c6fce3b376bceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:00:39 +0100 Subject: [PATCH 113/220] Update u_e-xmpp-enable.md --- docs/u_e-xmpp-enable.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 1cc73ed78..3d4dc0adf 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -76,6 +76,18 @@ If your reverse proxy is configured to point to a site like `webmail.domain.tld` That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. +### Method 1 + +A more simple approach is defining `ADDITIONAL_SERVER_NAMES` in `mailcow.conf`: + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld +``` + +Run `docker-compose up -d` to apply. + +### Method 2 + In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): ``` From 8e95131806f7fc1df403bfc3badde329c0be61e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:04:22 +0100 Subject: [PATCH 114/220] Update firststeps-rp.md --- docs/firststeps-rp.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 3574c2767..1e1d00050 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -252,3 +252,13 @@ dovecot_c=$(docker ps -qaf name=dovecot-mailcow) nginx_c=$(docker ps -qaf name=nginx-mailcow) docker restart ${postfix_c} ${dovecot_c} ${nginx_c} ``` + +### Adding additional server names for mailcow UI + +If you plan to use a server name that is not `MAILCOW_HOSTNAME` in your reverse proxy, make sure to populate that name in mailcow.conf via `ADDITIONAL_SERVER_NAMES` first. Names must be separated by commas and **must not** contain spaces. If you skip this step, mailcow may respond to your reverse proxy with an incorrect site. + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld +``` + +Run `docker-compose up -d` to apply. From 1c275581f673485a947964a05464050010ba88c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:06:48 +0100 Subject: [PATCH 115/220] Update firststeps-ssl.md --- docs/firststeps-ssl.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/firststeps-ssl.md b/docs/firststeps-ssl.md index 8fc2a1656..61626c904 100644 --- a/docs/firststeps-ssl.md +++ b/docs/firststeps-ssl.md @@ -31,6 +31,17 @@ A wildcard name like `smtp.*` will try to obtain a smtp.DOMAIN_NAME SAN for each Run `docker-compose up -d` to recreate affected containers automatically. +!!! info + Using names other name `MAILCOW_HOSTNAME` to access the mailcow UI may need further configuration. + +If you plan to use a server name that is not `MAILCOW_HOSTNAME` to access the mailcow UI (for example by adding `mail.*` to `ADDITIONAL_SAN` make sure to populate that name in mailcow.conf via `ADDITIONAL_SERVER_NAMES`. Names must be separated by commas and **must not** contain spaces. If you skip this step, mailcow may respond with an incorrect site. + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld +``` + +Run `docker-compose up -d` to apply. + ### Force renewal To force a renewal, you need to create a file named `force_renew` and restart the `acme-mailcow` container: From ab2207634b136f467000cd9f78db7d2c3cf434c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 16:34:13 +0100 Subject: [PATCH 116/220] Update u_e-xmpp-enable.md --- docs/u_e-xmpp-enable.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 3d4dc0adf..9d2f8c162 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -2,6 +2,35 @@ XMPP is provided by ejabberd, which describes itself as robust, scalable and ext So first of all, thanks to ejabberd and its contributers! +## FAQs + +- **Are messages stored on the server?** + +Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: + +``` + mod_mam: + clear_archive_on_room_destroy: true + default: never + compress_xml: true + request_activates_archiving: true +``` + +- **Are uploaded files stored on the server?** + +Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. + +The retention policy saves them for 30 days: + +``` + mod_http_upload_quota: + max_days: 30 +``` + +- **Are messages stored when a JID is offline?** + +Yes, up to 1000 messages are stored. + ## Enable XMPP in mailcow To enable XMPP for a domain, you need to edit the given domain in mailcow UI: From 11bf5ccc4eb4c2122def45ffa1a0a9c601143439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 16:40:46 +0100 Subject: [PATCH 117/220] Update mkdocs.yml --- mkdocs.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index fe0cb444b..455d94657 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -96,8 +96,7 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': - - 'Enable XMPP': 'u_e-xmpp-enable.md' + - 'XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From c54afa99ab13f06f9287d8898d36b1d0f482a3d5 Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 16 Feb 2021 16:55:54 +0100 Subject: [PATCH 118/220] More XMPP updates --- docs/u_e-xmpp-enable.md | 29 ----------------------------- docs/u_e-xmpp-faq.md | 38 ++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 2 ++ 3 files changed, 40 insertions(+), 29 deletions(-) create mode 100644 docs/u_e-xmpp-faq.md diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 9d2f8c162..3d4dc0adf 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -2,35 +2,6 @@ XMPP is provided by ejabberd, which describes itself as robust, scalable and ext So first of all, thanks to ejabberd and its contributers! -## FAQs - -- **Are messages stored on the server?** - -Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: - -``` - mod_mam: - clear_archive_on_room_destroy: true - default: never - compress_xml: true - request_activates_archiving: true -``` - -- **Are uploaded files stored on the server?** - -Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. - -The retention policy saves them for 30 days: - -``` - mod_http_upload_quota: - max_days: 30 -``` - -- **Are messages stored when a JID is offline?** - -Yes, up to 1000 messages are stored. - ## Enable XMPP in mailcow To enable XMPP for a domain, you need to edit the given domain in mailcow UI: diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md new file mode 100644 index 000000000..c4936c607 --- /dev/null +++ b/docs/u_e-xmpp-faq.md @@ -0,0 +1,38 @@ +## FAQ + +- **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** + +No, there is not. But you don't need one either. + +The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started. + +As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. + +ejabberd is **very** light on resources, you may want to give it a try. + +- **Are messages stored on the server?** + +Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: + +``` + mod_mam: + clear_archive_on_room_destroy: true + default: never + compress_xml: true + request_activates_archiving: true +``` + +- **Are uploaded files stored on the server?** + +Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. + +The retention policy saves them for 30 days: + +``` + mod_http_upload_quota: + max_days: 30 +``` + +- **Are messages stored when a JID is offline?** + +Yes, up to 1000 messages are stored. diff --git a/mkdocs.yml b/mkdocs.yml index 455d94657..7796dd21f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -97,6 +97,8 @@ nav: - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - 'XMPP': 'u_e-xmpp-enable.md' + - 'FAQ': 'u_e-xmpp-faq.md' + - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From 2598bc45d4ebb385b060ee35d714ab7cce874f8b Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 16 Feb 2021 21:32:37 +0100 Subject: [PATCH 119/220] More FAQs for XMPP --- docs/u_e-xmpp-faq.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index c4936c607..277fa4818 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -1,5 +1,7 @@ ## FAQ +Please find the most frequently asked questions with their corresponding configuration in `data/conf/ejabberd/ejabberd.yml` (if any). + - **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** No, there is not. But you don't need one either. @@ -35,4 +37,40 @@ The retention policy saves them for 30 days: - **Are messages stored when a JID is offline?** -Yes, up to 1000 messages are stored. +Yes, up to 1000 messages are stored for "normal" users and administrators: + +``` +shaper_rules: + max_user_offline_messages: + 1000: admin + 1000: all +``` + +- **Are messages written in group chats stored?** + +No, messages are not stored: + +``` + mod_muc: + default_room_options: + mam: false +``` + +- **Are group chats persistent when the last participant leaves?** + +No, they will vanish: + +``` + mod_muc: + default_room_options: + persistent: false +``` + +- **How many client sessions can be open at the same time?** + +10 sessions are allowed per session. + +``` +shaper_rules: + max_user_sessions: 10 +``` From 3119ad054b50a9ca7df8e979a827a272e9599997 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 18 Feb 2021 08:49:34 +0100 Subject: [PATCH 120/220] fix --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 7796dd21f..c8b6933e6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -96,7 +96,7 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': 'u_e-xmpp-enable.md' + - 'XMPP': - 'FAQ': 'u_e-xmpp-faq.md' - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': From 9e1239dd271293f395fd81cc71ddd19a58a206e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Malte=20M=C3=BCns?= Date: Wed, 3 Mar 2021 11:27:09 +0100 Subject: [PATCH 121/220] [TASK] Update build-thunderbird-plugins.sh to make it compatible with restructured sogo connector for thunderbird v78 --- docs/download/build-thunderbird-plugins.sh | 29 +++++++++++----------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/docs/download/build-thunderbird-plugins.sh b/docs/download/build-thunderbird-plugins.sh index 27f2e9ded..35ff84a26 100755 --- a/docs/download/build-thunderbird-plugins.sh +++ b/docs/download/build-thunderbird-plugins.sh @@ -10,27 +10,28 @@ fi cd $(dirname $0) -wget -O connector.tar.gz https://github.com/inverse-inc/sogo-connector/archive/sogo-connector-68.0.1.tar.gz - -mkdir -p connector -tar --strip-components=1 -C connector -xf connector.tar.gz +# we have to use the master branch, because there is no tag or release at the moment +wget -O connector.zip https://github.com/inverse-inc/sogo-connector/archive/master.zip +unzip connector.zip # build custom connector while read DOMAINS; do for DOMAIN in $DOMAINS; do echo "Building SOGo Connector for $DOMAIN hosted on $MAILHOST" - cd connector + cd sogo-connector-master mkdir -p custom/${DOMAIN} cp -r custom/sogo-demo/* custom/${DOMAIN}/ - sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf - sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&/g" custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf - echo > custom/${DOMAIN}/defaults/preferences/site.js - echo 'pref("sogo-connector.autocomplete.server.urlid", "'${DOMAIN}'");' > custom/${DOMAIN}/defaults/preferences/site.js - echo 'pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/defaults/preferences/site.js - #sed -i 's/<\/Seq>/
  • <\/li>
  • <\/li><\/Seq>/g' custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf + sed -i "s/https:\/\/demo\.sogo\.nu/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&/g" chrome/content/sogo-connector/global/extensions.rdf + # adjust sogo-connector.autocomplete.server.urlid + sed -i "s/\"public\"/\"${MAILHOST}\"/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + # remove wrong timezone setting + sed -i 's/char_pref(\"calendar\.timezone\.local\", \"\/mozilla\.org\/20070129_1\/America\/Montreal\");//g' custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + + echo 'bool_pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js make build=${DOMAIN} - CONNECTOR_VER=$(grep em:version install.rdf | awk -F '"' '{print $2}') - CONNECTOR_MIN_VER=$(grep em:minVersion install.rdf | grep -Eo '[0-9\.]+' | head -n 1) + CONNECTOR_VER=$(grep \"version\" manifest.json | awk -F '"' '{print $4}') + CONNECTOR_MIN_VER=$(grep strict_min_version manifest.json | grep -Eo '[0-9\.]+' | head -n 1) mv sogo-connector-*.xpi ../sogo-connector-${CONNECTOR_VER}-${DOMAIN}.xpi cd .. done @@ -57,4 +58,4 @@ echo "sogo-connector@inverse.ca;${CONNECTOR_VER};sogo-connector-${CONNECTOR_VER} # echo "sieve@mozdev.org;${SIEVE_VER};sieve-${SIEVE_VER}.xpi" >> version.csv # echo "imap-acl@sirphreak.com;${IMAP_ACL_VER};imap_acl_extension-${IMAP_ACL_VER}-tb.xpi" >> version.csv -rm -rf connector *.tar.gz +rm -rf sogo-connector-master *.zip From 6ab9d4f72f6df59d00f0f73b91b62ef93c183958 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:06:39 +0100 Subject: [PATCH 122/220] Is now u_e-fido2.md --- docs/model-fido2.md | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 docs/model-fido2.md diff --git a/docs/model-fido2.md b/docs/model-fido2.md deleted file mode 100644 index 8b0f58e86..000000000 --- a/docs/model-fido2.md +++ /dev/null @@ -1,23 +0,0 @@ -## How is UV handled in mailcow? - -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). - -## Login and key processing - -mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. - -A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. - -When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. - -## Who can use WebAuthn to login to mailcow? - -As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. - -## iOS problems - -Please use a desktop computer to register your key with your mailcow account. - -The process was tested using a YubiKey with Chrome on Windows. When registering a new, empty key, you will be prompted for a PIN for the new YubiKey. Once set and confirmed, the credentials are stored on the key. Using it with iOS works flawless now. - -iOS seems not to be able to set a PIN on the device on first use, so please use a desktop computer for this step. From 92d5997908a67c797d004dc6bcaa486a0af5af5d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:07:37 +0100 Subject: [PATCH 123/220] Add redirects for pages --- .travis.yml | 2 +- mkdocs.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4f65a58ec..78cdde8a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: python install: -- pip install mkdocs-material pygments +- pip install mkdocs-material pygments mkdocs-redirects script: - mkdocs build --verbose --clean deploy: diff --git a/mkdocs.yml b/mkdocs.yml index c8b6933e6..0abace861 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -142,3 +142,7 @@ extra: link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] +plugins: + - redirects: + redirect_maps: + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file From 2f02b0475840a160c90df8aa052d6cdb64375fb6 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:58:54 +0100 Subject: [PATCH 124/220] Add search plugin to mkdocs.yml --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 0abace861..47035ce7d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -143,6 +143,7 @@ extra: extra_css: [extra.css] extra_javascript: [clients.js] plugins: + - search - redirects: redirect_maps: 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file From bc701f788e707790f52d1c51fb743f6e929c06c4 Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 12 Mar 2021 21:55:33 +0100 Subject: [PATCH 125/220] Update .travis.yml Use cleanup because skip_cleanup is deprecated --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 78cdde8a9..d4f109e05 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ script: - mkdocs build --verbose --clean deploy: provider: pages - skip_cleanup: true + cleanup: false github_token: $GITHUB_TOKEN local_dir: site name: $BOT_NAME From d8cbe9476f0df7fb5f2f8803a4fc551a480c1a17 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 22:08:48 +0100 Subject: [PATCH 126/220] Revert "Update .travis.yml" This reverts commit bc701f788e707790f52d1c51fb743f6e929c06c4. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d4f109e05..78cdde8a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ script: - mkdocs build --verbose --clean deploy: provider: pages - cleanup: false + skip_cleanup: true github_token: $GITHUB_TOKEN local_dir: site name: $BOT_NAME From 729098734cb9f70463989525e92d428b46d31a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 17 Mar 2021 16:51:45 +0100 Subject: [PATCH 127/220] Update firststeps-logging.md --- docs/firststeps-logging.md | 43 +++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/firststeps-logging.md b/docs/firststeps-logging.md index 8c758a436..2f12c33fb 100644 --- a/docs/firststeps-logging.md +++ b/docs/firststeps-logging.md @@ -26,6 +26,8 @@ Redis keys will only hold logs from applications and filter out system messages ### Logging drivers +#### Via docker-compose.override.yml + Here is the good news: Since Docker has some great logging drivers, you can integrate mailcow: dockerized into your existing logging environment with ease. Create a `docker-compose.override.yml` and add, for example, this block to use the "gelf" logging plugin for `postfix-mailcow`: @@ -40,7 +42,46 @@ services: gelf-address: "udp://graylog:12201" ``` -If you want to change the logging driver globally, edit Dockers daemon configuration file `/etc/docker/daemon.json` and restart the Docker service: +Another example for **Syslog**: + +``` +version: '2.1' +services: + + postfix-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + + dovecot-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + + rspamd-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + +# For Rsyslog only: +# To move local3 input to /var/log/mailcow.log and stop processing, create a file "/etc/rsyslog.d/docker.conf": + +local3.* /var/log/mailcow.logs +& ~ + +# Restart rsyslog afterwards. + +``` + +#### via daemon.json (globally) + +If you want to **change the logging driver globally**, edit Dockers daemon configuration file `/etc/docker/daemon.json` and restart the Docker service: ``` { From 3022fd332097f48e24a3c2ed15adc51691414ad6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 21 Mar 2021 20:27:51 +0100 Subject: [PATCH 128/220] Update index.md --- docs/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/index.md b/docs/index.md index 4fe59848b..f199d0793 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,6 +6,10 @@ Please consider a support contract for a small monthly fee at [Servercow EN](htt If you are super awesome and would like to support without a contract, you can get a SAL license that confirms your awesomeness (a flexible one-time payment) at [Servercow EN](https://www.servercow.de/mailcow?lang=en#sal)/[Servercow DE](https://www.servercow.de/mailcow#sal). +₿ If you like anonymous donations, please consider a Bitcoin donation via **1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx** + +![grafik](https://user-images.githubusercontent.com/2972950/111918092-beb7d680-8a83-11eb-9a98-1fe43d3e0deb.png) + ## Get support There are two ways to achieve support for your mailcow installation. From b2e3599d0baf8b686edf1cd6b8e7789bedae0b54 Mon Sep 17 00:00:00 2001 From: fabreg Date: Wed, 31 Mar 2021 22:59:12 +0200 Subject: [PATCH 129/220] Update third_party-gitea.md Added a step needed if you use http to https redirect --- docs/third_party-gitea.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/third_party-gitea.md b/docs/third_party-gitea.md index 92e20fcae..62f8bad42 100644 --- a/docs/third_party-gitea.md +++ b/docs/third_party-gitea.md @@ -33,11 +33,13 @@ GITEA_SSH_PORT=127.0.0.1:4000 5\. Run `docker-compose up -d` to bring up the gitea container and run `docker-compose restart nginx-mailcow` afterwards. -6\. Open `http://${MAILCOW_HOSTNAME}/gitea/`, for example `http://mx.example.org/gitea/`. For database details set `mysql` as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password. +6\. If you forced mailcow to https, execute step 9 and restart gitea with `docker-compose restart gitea-mailcow` . Go head with step 7 (Remember to use https instead of http, `https://mx.example.org/gitea/` -7\. Once the installation is complete, login as admin and set "settings" -> "authorization" -> "enable SMTP". SMTP Host should be `postfix` with port `587`, set `Skip TLS Verify` as we are using an unlisted SAN ("postfix" is most likely not part of your certificate). +7\. Open `http://${MAILCOW_HOSTNAME}/gitea/`, for example `http://mx.example.org/gitea/`. For database details set `mysql` as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password. -8\. Create `data/gitea/gitea/conf/app.ini` and set following values. You can consult [gitea cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for their meaning and other possible values. +8\. Once the installation is complete, login as admin and set "settings" -> "authorization" -> "enable SMTP". SMTP Host should be `postfix` with port `587`, set `Skip TLS Verify` as we are using an unlisted SAN ("postfix" is most likely not part of your certificate). + +9\. Create `data/gitea/gitea/conf/app.ini` and set following values. You can consult [gitea cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for their meaning and other possible values. ``` [server] @@ -49,4 +51,4 @@ SSH_PORT = 4000 ROOT_URL = https://mx.example.org/gitea/ ``` -9\. Restart gitea with `docker-compose restart gitea-mailcow`. Your users should be able to login with mailcow managed accounts. +10\. Restart gitea with `docker-compose restart gitea-mailcow`. Your users should be able to login with mailcow managed accounts. From a3f0507573c9b0fecc3b0f2582c0ed2318ef6623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 1 Apr 2021 10:51:03 +0200 Subject: [PATCH 130/220] Update index.md --- docs/index.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/index.md b/docs/index.md index f199d0793..4fe59848b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,10 +6,6 @@ Please consider a support contract for a small monthly fee at [Servercow EN](htt If you are super awesome and would like to support without a contract, you can get a SAL license that confirms your awesomeness (a flexible one-time payment) at [Servercow EN](https://www.servercow.de/mailcow?lang=en#sal)/[Servercow DE](https://www.servercow.de/mailcow#sal). -₿ If you like anonymous donations, please consider a Bitcoin donation via **1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx** - -![grafik](https://user-images.githubusercontent.com/2972950/111918092-beb7d680-8a83-11eb-9a98-1fe43d3e0deb.png) - ## Get support There are two ways to achieve support for your mailcow installation. From 7cafbbae1b9581a226919a97a0f9c1b77408b349 Mon Sep 17 00:00:00 2001 From: Adriano Date: Thu, 1 Apr 2021 22:26:28 +0200 Subject: [PATCH 131/220] Add reference to "SOGoUIxDebugEnabled = YES" --- docs/u_e-sogo.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 909e10918..3fde37361 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -1,10 +1,15 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its [own documentation](http://wiki.sogo.nu/). -## Change theme +## Apply custom SOGo theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. -After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. +Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. + +You can use the provided `custom-theme.js` as an example starting point by removing the comments. +After you modified `data/conf/sogo/custom-theme.js` and made changes to your new SOGo theme you need to + +* edit `data/conf/sogo/sogo.conf` and append/set `SOGoUIxDebugEnabled = YES;` +* restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` @@ -19,9 +24,9 @@ Find in `data/conf/sogo/custom-theme.js`: 'hue-3': 'A700' }) .accentPalette('green', { - 'default': '600', // background color of fab buttons + 'default': '600', // background color of fab buttons and login screen 'hue-1': '300', // background color of center list toolbar - 'hue-2': '300', + 'hue-2': '300', // highlight color for selected mail and current day calendar 'hue-3': 'A700' }) .backgroundPalette('frost-grey'); From 15db9aba298fd19342c23ab7cfbd2397d5a0ea4b Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 10 Apr 2021 11:22:36 +0200 Subject: [PATCH 132/220] Remove "Untrust RFC1918" --- docs/firststeps-trust_networks.md | 11 +++++++++++ mkdocs.yml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 docs/firststeps-trust_networks.md diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md new file mode 100644 index 000000000..e12dd9dfb --- /dev/null +++ b/docs/firststeps-trust_networks.md @@ -0,0 +1,11 @@ +Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. + +To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: + +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +``` + +Per default we use "mynetworks_style = subnet" to only include local networks we are part of. diff --git a/mkdocs.yml b/mkdocs.yml index 47035ce7d..6da9afd31 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,7 +39,7 @@ nav: - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' + - 'Add trsteded networks': 'firststeps-trust_networks.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' @@ -146,4 +146,4 @@ plugins: - search - redirects: redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From 332a07c95a8008021de68cf89f2314b19d8a83da Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 10 Apr 2021 11:26:03 +0200 Subject: [PATCH 133/220] Remove "Untrust RFC1918" --- docs/firststeps-rfc-1918.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 docs/firststeps-rfc-1918.md diff --git a/docs/firststeps-rfc-1918.md b/docs/firststeps-rfc-1918.md deleted file mode 100644 index d99fbb5c0..000000000 --- a/docs/firststeps-rfc-1918.md +++ /dev/null @@ -1,11 +0,0 @@ -Per default, mailcow considers all private RFC1918 networks (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) as trusted. Though it is reasonable in most cases, you may want to restrict this setting under certain circumstances. In particular, if you are using some kind of reverse proxy for SMTP TCP ports. If your reverse proxy host is located in a private net, mailcow will consider all traffic from it as trusted, which may result in an open relay. - -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. - -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. - -The default values for those variables - `172.22.1.0/24` and `fd4d:6169:6c63:6f77::/64` - would result in the following, minimal configuration: - -``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 -``` From 67a5bec516d6b7593ee9d4c578094f57489f053d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Apr 2021 22:36:25 +0200 Subject: [PATCH 134/220] Add ejabberd + sort lists --- docs/index.md | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/docs/index.md b/docs/index.md index 4fe59848b..c54fb769d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -64,29 +64,36 @@ The integrated **mailcow UI** allows administrative work on your mail server ins mailcow: dockerized comes with multiple containers linked in one bridged network. Each container represents a single application. -- [Dovecot](https://www.dovecot.org/) +- [ACME](https://letsencrypt.org/) - [ClamAV](https://www.clamav.net/) (optional) -- [Solr](http://lucene.apache.org/solr/) (optional) -- [Oletools](https://github.com/decalage2/oletools) via [Olefy](https://github.com/HeinleinSupport/olefy) -- [Memcached](https://www.memcached.org/) -- [Redis](https://redis.io/) +- [Dovecot](https://www.dovecot.org/) +- [ejabberd](https://www.ejabberd.im/) - [MariaDB](https://mariadb.org/) -- [Unbound](https://unbound.net/) +- [Memcached](https://www.memcached.org/) +- [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) +- [Nginx](https://nginx.org/) +- [Oletools](https://github.com/decalage2/oletools) via [Olefy](https://github.com/HeinleinSupport/olefy) - [PHP](https://php.net/) - [Postfix](http://www.postfix.org/) -- [ACME](https://letsencrypt.org/) -- [Nginx](https://nginx.org/) +- [Redis](https://redis.io/) - [Rspamd](https://www.rspamd.com/) - [SOGo](https://sogo.nu/) -- [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) +- [Solr](http://lucene.apache.org/solr/) (optional) +- [Unbound](https://unbound.net/) - A Watchdog to provide basic monitoring **Docker volumes** to keep dynamic data - take care of them! -- vmail-vol-1 -- solr-vol-1 -- redis-vol-1 -- mysql-vol-1 -- rspamd-vol-1 -- postfix-vol-1 - crypt-vol-1 +- mysql-socket-vol-1 +- mysql-vol-1 +- postfix-vol-1 +- redis-vol-1 +- rspamd-vol-1 +- sogo-userdata-backup-vol-1 +- sogo-web-vol-1 +- solr-vol-1 +- vmail-index-vol-1 +- vmail-vol-1 +- xmpp-upload-vol-1 +- xmpp-vol-1 From 0cb86a87d0df676719e53428b26ca965c086db1d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Apr 2021 22:37:10 +0200 Subject: [PATCH 135/220] fix typo --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6da9afd31..328ea89d4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,7 +39,7 @@ nav: - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Add trsteded networks': 'firststeps-trust_networks.md' + - 'Add trusted networks': 'firststeps-trust_networks.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' From 32f5c3158377a2658dbd46e0a16f737f258ee894 Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Fri, 16 Apr 2021 19:36:22 -0400 Subject: [PATCH 136/220] Third-party: Borgmatic Backup This guide describes setting up automatic recurring backups using borgmatic. This is a good alternative to juggling tar archives. Signed-off-by: Felix Kaechele --- docs/third_party-borgmatic.md | 247 ++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 248 insertions(+) create mode 100644 docs/third_party-borgmatic.md diff --git a/docs/third_party-borgmatic.md b/docs/third_party-borgmatic.md new file mode 100644 index 000000000..4d9de3d01 --- /dev/null +++ b/docs/third_party-borgmatic.md @@ -0,0 +1,247 @@ +# Borgmatic Backup + +## Introduction + +Borgmatic is a great way to run backups on your Mailcow setup as it securely encrypts your data and is extremely easy to +set up. + +Due to it's deduplication capabilities you can store a great number of backups without wasting large amounts of disk +space. This allows you to run backups in very short intervals to ensure minimal data loss when the need arises to +recover data from a backup. + +This document guides you through the process to enable continuous backups for mailcow with borgmatic. The borgmatic +functionality is provided by the [borgmatic Docker image by b3vis](https://github.com/b3vis/docker-borgmatic). Check out +the `README` in that repository to find out about the other options (such as push notifications) that are available. +This guide only covers the basics. + +## Setting up borgmatic + +### Create or amend `docker-compose.override.yml` + +In the mailcow-dockerized root folder create or edit `docker-compose.override.yml` and insert the following +configuration: + +```yaml +version: '2.1' +services: + borgmatic-mailcow: + image: b3vis/borgmatic + restart: always + dns: ${IPV4_NETWORK:-172.22.1}.254 + volumes: + - vmail-vol-1:/mnt/source/vmail:ro + - mysql-socket-vol-1:/var/run/mysqld/:z + - ./data/conf/borgmatic/etc:/etc/borgmatic.d:Z + - ./data/conf/borgmatic/state:/root/.config/borg:Z + - ./data/conf/borgmatic/ssh:/root/.ssh:Z + environment: + - TZ=${TZ} + - BORG_PASSPHRASE=YouBetterPutSomethingRealGoodHere + networks: + mailcow-network: + aliases: + - borgmatic +``` + +Ensure that you change the `BORG_PASSPHRASE` to a secure passphrase of your choosing. + +For security reasons we mount the maildir as read-only. If you later want to restore data you will need to remove +the `ro` flag prior to restoring the data. This is described in the section on restoring backups. + +### Create `data/conf/borgmatic/etc/config.yaml` + +Next, we need to create the borgmatic configuration. + +```shell +source mailcow.conf +cat < data/conf/borgmatic/etc/config.yaml +location: + source_directories: + - /mnt/source + repositories: + - user@rsync.net:mailcow + remote_path: borg1 + +retention: + keep_hourly: 24 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + +hooks: + mysql_databases: + - name: ${DBNAME} + username: ${DBUSER} + password: ${DBPASS} + options: --default-character-set=utf8mb4 +EOF +``` + +Creating the file in this way ensures the correct MySQL credentials are pulled in from `mailcow.conf`. + +This file is a minimal example for using borgmatic with an account `user` on the cloud storage provider `rsync.net` for +a repository called `mailcow` (see `repositories` setting). It will backup both the maildir and MySQL database, which is +all you should need to restore your mailcow setup after an incident. The retention settings will keep one archive for +each hour of the past 24 hours, one per day of the week, one per week of the month and one per month of the past half +year. + +Check the [borgmatic documentation](https://torsion.org/borgmatic/) on how to use other types of repositories or +configuration options. If you choose to use a local filesystem as a backup destination make sure to mount it into the +container. The container defines a volume called `/mnt/borg-repository` for this purpose. + +!!! note + If you do not use rsync.net you can most likely drop the `remote_path` element from your config. + +### Create a crontab + +Create a new text file in `data/conf/borgmatic/etc/crontab.txt` with the following content: + +``` +14 * * * * PATH=$PATH:/usr/bin /usr/bin/borgmatic --stats -v 0 2>&1 +``` + +This file expects crontab syntax. The example shown here will trigger the backup to run every hour at 14 minutes past +the hour and log some nice stats at the end. + +### Place SSH keys in folder + +Place the SSH keys you intend to use for remote repository connections in `data/conf/borgmatic/ssh`. OpenSSH expects the +usual `id_rsa`, `id_ed25519` or similar to be in this directory. Ensure the file is `chmod 600` and not world readable +or OpenSSH will refuse to use the SSH key. + +### Bring up the container + +For the next step we need the container to be up and running in a configured state. To do that run: + +```shell +docker-compose up -d +``` + +### Initialize the repository + +By now your borgmatic container is up and running, but the backups will currently fail due to the repository not being +initialized. + +To initialize the repository run: + +```shell +docker-compose exec borgmatic-mailcow borgmatic init --encryption repokey-blake2 +``` + +You will be asked you to authenticate the SSH host key of your remote repository server. See if it matches and confirm +the prompt by entering `yes`. The repository will be initialized with the passphrase you set in the `BORG_PASSPHRASE` +environment variable earlier. + +When using any of the `repokey` encryption methods the encryption key will be stored in the repository itself and not on +the client, so there is no further action required in this regard. If you decide to use a `keyfile` instead of +a `repokey` make sure you export the key and back it up separately. Check the [Exporting Keys](#exporting-keys) section +for how to retrieve the key. + +### Restart container + +Now that we finished configuring and initializing the repository restart the container to ensure it is in a defined +state: + +```shell +docker-compose restart borgmatic-mailcow +``` + +## Restoring from a backup + +Restoring a backup assumes you are starting off with a fresh installation of mailcow, and you currently do not have +any custom data in your maildir or your mailcow database. + +### Restore maildir + +!!! warning + Doing this will overwrite files in your maildir! Do not run this unless you actually intend to recover mail + files from a backup. + +!!! note "If you use SELinux in Enforcing mode" + If you are using mailcow on a host with SELinux in Enforcing mode you will have to temporarily disable it during + extraction of the archive as the mailcow setup labels the vmail volume as private, belonging to the dovecot container + exclusively. SELinux will (rightfully) prevent any other container, such as the borgmatic container, from writing to + this volume. + +Before running a restore you must make the vmail volume writeable in `docker-compose.override.yml` by removing +the `ro` flag from the volume. +Then you can use the following command to restore the maildir from a backup: + +```shell +docker-compose exec borgmatic-mailcow borgmatic extract --path mnt/source --archive latest +``` + +Alternatively you can specify any archive name from the list of archives (see +[Listing all available archives](#listing-all-available-archives)) + +### Restore MySQL + +!!! warning + Running this command will delete and recreate the mailcow database! Do not run this unless you actually + intend to recover the mailcow database from a backup. + +To restore the MySQL database from the latest archive use this command: + +```shell +docker-compose exec borgmatic-mailcow borgmatic restore --archive latest +``` + +Alternatively you can specify any archive name from the list of archives (see +[Listing all available archives](#listing-all-available-archives)) + +### After restoring + +After restoring you need to restart mailcow. If you disabled SELinux enforcing mode now would be a good time to +re-enable it. + +To restart mailcow use the follwing command: + +```shell +docker-compose down && docker-compose up -d +``` + +If you use SELinux this will also trigger the re-labeling of all files in your vmail volume. Be patient, as this may +take a while if you have lots of files. + +## Useful commands + +### Manual archiving run (with debugging output) + +```shell +docker-compose exec borgmatic-mailcow borgmatic -v 2 +``` + +### Listing all available archives + +```shell +docker-compose exec borgmatic-mailcow borgmatic list +``` + +### Break lock + +When borg is interrupted during an archiving run it will leave behind a stale lock that needs to be cleared before any +new operations can be performed: + +```shell +docker-compose exec borgmatic-mailcow borg break-lock user@rsync.net:mailcow +``` + +Where `user@rsync.net:mailcow` is the URI to your repository. + +Now would be a good time to do a manual archiving run to ensure it can be successfully performed. + +### Exporting keys + +When using any of the `keyfile` methods for encryption you **MUST** take care of backing up the key files yourself. The +key files are generated when you initialize the repository. The `repokey` methods store the key file within the +repository, so a manual backup isn't as essential. + +Note that in either case you also must have the passphrase to decrypt any archives. + +To fetch the keyfile run: + +```shell +docker-compose exec borgmatic-mailcow borg key export --paper user@rsync.net:mailcow +``` + +Where `user@rsync.net:mailcow` is the URI to your repository. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 328ea89d4..5ec91ef3e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -121,6 +121,7 @@ nav: - 'Windows Phone': 'client/client-windowsphone.md' - 'Manual configuration': 'client/client-manual.md' - 'Third party apps': + - 'Borgmatic Backup': 'third_party-borgmatic.md' - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' - 'Gogs': 'third_party-gogs.md' From d1e8fbc470770d768868238cd2d07ca426d0d3c1 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 19 Apr 2021 14:36:17 +0200 Subject: [PATCH 137/220] Add nrows history limit to Rspamd docs --- docs/u_e-rspamd.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index bdc4fa461..a3f15b2cb 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -224,3 +224,19 @@ redis-cli -h redis DEL Q_LAST_NOTIFIED quarantine_notify.py ``` +## Increase history retention + +By default Rspamd keeps 1000 elements in the history. + +The history is stored compressed. + +It is recommended not to use a disproportionate high value here, try something along 5000 or 10000 and see how your server handles it: + +Edit `data/conf/rspamd/local.d/history_redis.conf`: + +``` +nrows = 1000; # change this value +``` + +Restart Rspamd afterwards: `docker-compose restart rspamd-mailcow` + From 0ae7ecf9add73693b3592bd1e31904c31216dc87 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 20 Apr 2021 21:28:50 +0200 Subject: [PATCH 138/220] Create gh-pages.yml --- .github/gh-pages.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/gh-pages.yml diff --git a/.github/gh-pages.yml b/.github/gh-pages.yml new file mode 100644 index 000000000..f79edb87f --- /dev/null +++ b/.github/gh-pages.yml @@ -0,0 +1,21 @@ +name: Build and deploy to gh-pages +on: [push] +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout 📥 + uses: actions/checkout@v2.3.4 + + - name: Install and Build 🔧 + run: | + sudo apt-get -y update + sudo apt-get -y install python3-pip + pip install mkdocs-material pygments mkdocs-redirects + mkdocs build --verbose --clean + + - name: Deploy 🚀 + uses: JamesIves/github-pages-deploy-action@4.1.1 + with: + branch: gh-pages # The branch the action should deploy to. + folder: . # The folder the action should deploy. From f1c6bcb11bdb68fb641be18d0e5561278e5c97f7 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:34:11 +0200 Subject: [PATCH 139/220] Add workflows folder --- .github/{ => workflows}/gh-pages.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/gh-pages.yml (100%) diff --git a/.github/gh-pages.yml b/.github/workflows/gh-pages.yml similarity index 100% rename from .github/gh-pages.yml rename to .github/workflows/gh-pages.yml From 26ace065fa53575cd4e3f0db4674f2b6c40c8ef7 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:37:51 +0200 Subject: [PATCH 140/220] Bump Pygments to 2.8.1 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f79edb87f..e39419cf3 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -11,7 +11,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments mkdocs-redirects + pip install mkdocs-material pygments==2.8.1 mkdocs-redirects mkdocs build --verbose --clean - name: Deploy 🚀 From fa82d9a6deb1cb544e9863fb10acafa481ec2fac Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:43:59 +0200 Subject: [PATCH 141/220] Separate installing dependencies and build site --- .github/workflows/gh-pages.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index e39419cf3..9451c2130 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -7,15 +7,18 @@ jobs: - name: Checkout 📥 uses: actions/checkout@v2.3.4 - - name: Install and Build 🔧 + - name: Install dependencies 🐄 run: | sudo apt-get -y update sudo apt-get -y install python3-pip pip install mkdocs-material pygments==2.8.1 mkdocs-redirects - mkdocs build --verbose --clean + + - name: Build site 🔧 + run: | + mkdocs build --verbose --clean - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@4.1.1 with: branch: gh-pages # The branch the action should deploy to. - folder: . # The folder the action should deploy. + folder: docs # The folder the action should deploy. From bdfdaa01cb4fa17ea9759077d542062d14b24761 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:45:07 +0200 Subject: [PATCH 142/220] tabs are bad --- .github/workflows/gh-pages.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 9451c2130..bd8ef6850 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,8 +14,8 @@ jobs: pip install mkdocs-material pygments==2.8.1 mkdocs-redirects - name: Build site 🔧 - run: | - mkdocs build --verbose --clean + run: | + mkdocs build --verbose --clean - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@4.1.1 From d9f26ce1a4a6d9ff1b5bc1147bd5a3788b6e4e2e Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:51:22 +0200 Subject: [PATCH 143/220] Use site as folder --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index bd8ef6850..075c81c07 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,4 +21,4 @@ jobs: uses: JamesIves/github-pages-deploy-action@4.1.1 with: branch: gh-pages # The branch the action should deploy to. - folder: docs # The folder the action should deploy. + folder: site # The folder the action should deploy. From bf1996b97fe03ee3194d1edacf737eebd6d6cbbe Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 22:01:09 +0200 Subject: [PATCH 144/220] delete travis.yml --- .travis.yml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 78cdde8a9..000000000 --- a/.travis.yml +++ /dev/null @@ -1,14 +0,0 @@ -language: python -install: -- pip install mkdocs-material pygments mkdocs-redirects -script: -- mkdocs build --verbose --clean -deploy: - provider: pages - skip_cleanup: true - github_token: $GITHUB_TOKEN - local_dir: site - name: $BOT_NAME - email: $BOT_EMAIL - on: - branch: master From 77a8a09c196959294cd4d25030d5e953ece79554 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 22:01:23 +0200 Subject: [PATCH 145/220] Replace build badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48fe30ca6..f814a2400 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![TRAVIS-CI](https://api.travis-ci.org/mailcow/mailcow-dockerized-docs.svg?branch=master) +[![Build and deploy to gh-pages](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml/badge.svg)](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml) # mailcow: dockerized documentation From 7c0a5cd45ab44fd65d0bc1b74d170e4b72721cd6 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 20 Apr 2021 22:50:38 +0200 Subject: [PATCH 146/220] Trigger workflow only on master --- .github/workflows/gh-pages.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 075c81c07..0f822da69 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,8 @@ name: Build and deploy to gh-pages -on: [push] +on: + push: + branches: + - master jobs: build-and-deploy: runs-on: ubuntu-latest From b53e4ca9f7ca0e866bf22dc391193bed27ff4aae Mon Sep 17 00:00:00 2001 From: Sven Gottwald <2502366+svengo@users.noreply.github.com> Date: Wed, 21 Apr 2021 19:17:14 +0200 Subject: [PATCH 147/220] Update b_n_r_backup.md Add example for using backup_and_restore.sh in a cronjob --- docs/b_n_r_backup.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index afc932563..55abdee92 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -1,5 +1,5 @@ ### Backup - +#### backup_and_restore.sh You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. Please do not copy this script to another location. @@ -30,3 +30,34 @@ To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variab ``` MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all ``` + +#### Cronjob +You can call the backupscript regularly using a cronjob. Normally cron informs you about the result of each backup operation by e-mail. If you want cron to create an email only in case of an error, you can use the following snippet in `/etc/cron.daily/mailcow-backup` for example. If necessary the paths must be modified. + +``` +#!/bin/sh + +# Backup mailcow data +# https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/ + +set -e + +OUT="$(mktemp)" +export MAILCOW_BACKUP_LOCATION="/opt/backup" +SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" +PARAMETERS="backup all" +OPTIONS="--delete-days 30" + +# run command +set +e +"${SCRIPT}" ${PARAMETERS} ${OPTIONS} 2>&1 > "$OUT" +RESULT=$? + +if [ $RESULT -ne 0 ] + then + echo "${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:" + echo "RESULT=$RESULT" + echo "STDOUT / STDERR:" + cat "$OUT" +fi +``` From 53edcfb06a3d70a0124d6ff08d050079030e4c33 Mon Sep 17 00:00:00 2001 From: drohhyn Date: Sat, 24 Apr 2021 09:40:26 +0200 Subject: [PATCH 148/220] Update u_e-xmpp-faq.md Info about open ports with ideling XMPP added. --- docs/u_e-xmpp-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index 277fa4818..ee6f3c7a4 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -6,7 +6,7 @@ Please find the most frequently asked questions with their corresponding configu No, there is not. But you don't need one either. -The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started. +The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started (but open unconnected ports). As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. From d640dbe345826d7ae7f14866d0754c0391e3a443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 26 Apr 2021 13:20:40 +0200 Subject: [PATCH 149/220] Update u_e-webmail-site.md --- docs/u_e-webmail-site.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-webmail-site.md b/docs/u_e-webmail-site.md index 31c9e1e65..f04de862f 100644 --- a/docs/u_e-webmail-site.md +++ b/docs/u_e-webmail-site.md @@ -14,7 +14,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name webmail.example.org; - + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; default_type "text/plain"; From a97522545b66595b7d0eef311fa57b64919eab7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 26 Apr 2021 13:21:07 +0200 Subject: [PATCH 150/220] Update u_e-nginx.md --- docs/u_e-nginx.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index efeace445..9743b6e55 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -16,6 +16,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name mysite.example.org; + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; @@ -40,6 +41,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name example.domain.tld; + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; From 6f6842f49cf7981b0869cd16472564cc8f6b521f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 28 Apr 2021 20:55:44 +0200 Subject: [PATCH 151/220] Update firststeps-rp.md --- docs/firststeps-rp.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 1e1d00050..d33d03a0b 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -15,6 +15,11 @@ This will also change the bindings inside the Nginx container! This is important Recreate affected containers by running `docker-compose up -d`. +**Important information, please read them carefully!** + +!!! info + If you plan to use a reverse proxy and want to use another server name that is **not** MAILCOW_HOSTNAME, you need to read **Adding additional server names for mailcow UI** at the bottom of this page. + !!! warning Make sure you run `generate_config.sh` before you enable any site configuration examples below. The script `generate_config.sh` copies snake-oil certificates to the correct location, so the services will not fail to start due to missing files. From c4744d11480003a92fdfea12e79129affe6288c7 Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 28 Apr 2021 21:32:33 +0200 Subject: [PATCH 152/220] Update debug-reset_pw.md --- docs/debug-reset_pw.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index 3f14e8687..149d73124 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -77,9 +77,17 @@ MariaDB [(none)]> FLUSH PRIVILEGES; ## Remove Two-Factor Authentication +### For mailcow WebUI: + This works similar to resetting a MySQL password, now we do it from the host without connecting to the MySQL CLI: ``` source mailcow.conf docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM tfa WHERE username='YOUR_USERNAME';" ``` + +### For SOGo: + +``` +docker-compose exec -u sogo sogo-mailcow sogo-tool user-preferences set defaults user@example.com SOGoGoogleAuthenticatorEnabled '{"SOGoGoogleAuthenticatorEnabled":0}' +``` From d1c4536d01c10feb4a90cccc3b0e0f49efaa5ba2 Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 28 Apr 2021 22:37:30 +0200 Subject: [PATCH 153/220] Remove old file --- docs/u_e-change_config.md | 68 --------------------------------------- mkdocs.yml | 1 - 2 files changed, 69 deletions(-) delete mode 100644 docs/u_e-change_config.md diff --git a/docs/u_e-change_config.md b/docs/u_e-change_config.md deleted file mode 100644 index 98b3cb391..000000000 --- a/docs/u_e-change_config.md +++ /dev/null @@ -1,68 +0,0 @@ -The most important configuration files are mounted from the host into the related containers: - -``` -data/conf -├── unbound -│   └── unbound.conf -├── dovecot -│   ├── dovecot.conf -│   ├── dovecot-master.passwd -│   ├── sieve_after -│   └── sql -│   ├── dovecot-dict-sql.conf -│   └── dovecot-mysql.conf -├── mysql -│   └── my.cnf -├── nginx -│   ├── dynmaps.conf -│   ├── site.conf -│   └── templates -│   ├── listen_plain.template -│   ├── listen_ssl.template -│   └── server_name.template -├── postfix -│   ├── main.cf -│   ├── master.cf -│   ├── postscreen_access.cidr -│   ├── smtp_dsn_filter -│   └── sql -│   ├── mysql_relay_recipient_maps.cf -│   ├── mysql_tls_enforce_in_policy.cf -│   ├── mysql_tls_enforce_out_policy.cf -│   ├── mysql_virtual_alias_domain_catchall_maps.cf -│   ├── mysql_virtual_alias_domain_maps.cf -│   ├── mysql_virtual_alias_maps.cf -│   ├── mysql_virtual_domains_maps.cf -│   ├── mysql_virtual_mailbox_maps.cf -│   ├── mysql_virtual_relay_domain_maps.cf -│   ├── mysql_virtual_sender_acl.cf -│   └── mysql_virtual_spamalias_maps.cf -├── rspamd -│   ├── dynmaps -│   │   ├── authoritative.php -│   │   ├── settings.php -│   │   ├── tags.php -│   │   └── vars.inc.php -> ../../../web/inc/vars.inc.php -│   ├── local.d -│   │   ├── dkim.conf -│   │   ├── metrics.conf -│   │   ├── options.inc -│   │   ├── redis.conf -│   │   ├── rspamd.conf.local -│   │   └── statistic.conf -│   ├── lua -│   │   └── rspamd.local.lua -│   └── override.d -│   ├── logging.inc -│   ├── worker-controller.inc -│   └── worker-normal.inc -└── sogo - ├── sieve.creds - └── sogo.conf - -``` - -Just change the according configuration file on the host and restart the related service: -``` -docker-compose restart service-mailcow -``` diff --git a/mkdocs.yml b/mkdocs.yml index 328ea89d4..87708e050 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -105,7 +105,6 @@ nav: - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Adjust Service Configurations': 'u_e-change_config.md' - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - 'Client Configuration': From 9945b6c370a510afd86f3e5b029b021ebb70a06b Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:18:40 +0200 Subject: [PATCH 154/220] move deinstall --- docs/{u_e-deinstall.md => i_u_m_deinstall.md} | 0 mkdocs.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/{u_e-deinstall.md => i_u_m_deinstall.md} (100%) diff --git a/docs/u_e-deinstall.md b/docs/i_u_m_deinstall.md similarity index 100% rename from docs/u_e-deinstall.md rename to docs/i_u_m_deinstall.md diff --git a/mkdocs.yml b/mkdocs.yml index 83960fc5e..ca5e5a1a0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,6 +28,7 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' + - 'Deinstallation': 'i_u_m_deinstall.md' - 'Post Installation Tasks': - 'Advanced SSL': 'firststeps-ssl.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' @@ -105,7 +106,6 @@ nav: - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - 'Client Configuration': - 'Overview': 'client.md' From 45c7e6a87f59eeac5b2fccce0604e88903d2a620 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:32:42 +0200 Subject: [PATCH 155/220] reset tls certs --- docs/debug-reset-tls.md | 17 +++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 18 insertions(+) create mode 100644 docs/debug-reset-tls.md diff --git a/docs/debug-reset-tls.md b/docs/debug-reset-tls.md new file mode 100644 index 000000000..b2584e0f4 --- /dev/null +++ b/docs/debug-reset-tls.md @@ -0,0 +1,17 @@ +In case you encounter problems with your certificate, key or Let's Encrypt account, please try to reset the TLS assets: + +``` +source mailcow.conf +docker-compose down +rm -rf data/assets/ssl +mkdir data/assets/ssl +openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes +cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ +docker-compose up -d +``` + +This will stop mailcow, source the variables we need, create a self-signed certificate and start mailcow. + +If you use Let's Encrypt you should be careful as you will create a new account and a new set of certificates. You will run into a ratelimit sooner or later. + +Please also note that previous TLSA records will be invalid. diff --git a/mkdocs.yml b/mkdocs.yml index ca5e5a1a0..b24e15e41 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -54,6 +54,7 @@ nav: - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Reset TLS certificates'': 'debug-reset-tls.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' From a1c87cd2a47d7f0388eabb1b4be7c7336cfc8c31 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:39:08 +0200 Subject: [PATCH 156/220] fix typo --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index b24e15e41..666fbc45d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -54,7 +54,7 @@ nav: - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - - 'Reset TLS certificates'': 'debug-reset-tls.md' + - 'Reset TLS certificates': 'debug-reset-tls.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' From 0e7adfdea04ad67c25232ccf4f41afda035280b5 Mon Sep 17 00:00:00 2001 From: Daniel Lo Nigro Date: Sun, 2 May 2021 16:13:15 -0700 Subject: [PATCH 157/220] Update `pip install` command in readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f814a2400..f9fe18d9e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material +pip install mkdocs-material pygments==2.8.1 mkdocs-redirects mkdocs serve -``` \ No newline at end of file +``` From 2cc7e092b3b76a6318931401b2c3b861564cbbf6 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 00:22:42 +1000 Subject: [PATCH 158/220] Provide better examples and more explaination Updated IP Ranges to correct documentation ranges Provided IPv6 Example Added warning about becoming an open relay --- docs/firststeps-trust_networks.md | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index e12dd9dfb..07886b51d 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,11 +1,30 @@ -Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. +## Default Unauthenticated Relaying +By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction +As default we use "mynetworks_style = subnet". -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +## Permitting unauthenticated relaying. -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: +!!! Warning +Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. -``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. + +To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +### Permitting IPV4 hosts +To add `192.0.2.0/24` it may look like the configuration below: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 ``` -Per default we use "mynetworks_style = subnet" to only include local networks we are part of. +### Permitting IPv6 hosts + +The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +``` + +!!! Info +Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") From d6512bdc6a9a35cb385d81e37f91d6e77c0c02e5 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 01:00:20 +1000 Subject: [PATCH 159/220] Update prerequisite-dns.md quick tidy up --- docs/prerequisite-dns.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 0d198c428..c9a23e60b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -86,7 +86,8 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +!!! Tip +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -96,18 +97,14 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +!!! Tip +The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email below and wait for a reply: - -check-auth@verifier.port25.com - -You will get a report back that looks like the following: +To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: ``` - ========================================================== Summary of Results ========================================================== From be0fac6d00d63fd303014c6c5ec5cf4216213f1f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Mon, 3 May 2021 18:20:50 +0200 Subject: [PATCH 160/220] Update pygments to 2.9.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 0f822da69..e924c2c3b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments==2.8.1 mkdocs-redirects + pip install mkdocs-material pygments==2.9.0 mkdocs-redirects - name: Build site 🔧 run: | diff --git a/README.md b/README.md index f9fe18d9e..bbc5b1471 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material pygments==2.8.1 mkdocs-redirects +pip install mkdocs-material pygments==2.9.0 mkdocs-redirects mkdocs serve ``` From 9585becdd3aa0fbe991a021b1786aeecf2be022d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:14 +0200 Subject: [PATCH 161/220] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 07886b51d..a1576cc13 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -20,7 +20,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 ### Permitting IPv6 hosts -The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: +The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 From 860c6f783d9af9d2ec8d2f3bdd23d96baa66f60f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:29 +0200 Subject: [PATCH 162/220] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index a1576cc13..ba43d7cac 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -12,7 +12,7 @@ Incorrect setup of mynetworks will allow your server to be used as an open relay To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. ### Permitting IPV4 hosts -To add `192.0.2.0/24` it may look like the configuration below: +To add `192.168.2.0/24` it may look like the configuration below: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 From e4e868436c93600205f160a7670e712dd0a7911a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:07 +0200 Subject: [PATCH 163/220] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index c9a23e60b..714bef480 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. From 77bad7d6c2d288588bd6e77d3df1cac4e5b86c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:23 +0200 Subject: [PATCH 164/220] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 714bef480..ee574290c 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -102,7 +102,7 @@ The services may provide you with a TXT record, which you would insert into your ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: +To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: ``` ========================================================== From 832b7ccfe2fe777a3eeb47826050fd0b0a23e3f9 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 3 May 2021 22:55:26 +0200 Subject: [PATCH 165/220] Update docs/firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index ba43d7cac..18fdff11a 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -23,7 +23,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` !!! Info From 093f786b3ee59aaf19e350881b855f6d547a3e20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:04:03 +0200 Subject: [PATCH 166/220] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 35 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 18fdff11a..801371e14 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,30 +1,37 @@ -## Default Unauthenticated Relaying -By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction -As default we use "mynetworks_style = subnet". +By default mailcow considers **all networks as untrusted** excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction. -## Permitting unauthenticated relaying. +By default mailcow uses `mynetworks_style = subnet` to determine internal subnets and leaves `mynetworks` unconfigured. + +If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. This means you **have to** add the IPV4_NETWORK and IPV6_NETWORK scopes as well as loopback subnets manually! + +## Unauthenticated relaying !!! Warning -Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. +Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. -!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. +### IPv4 hosts/subnets -To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +To add the subnet `192.168.2.0/24` to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: -### Permitting IPV4 hosts -To add `192.168.2.0/24` it may look like the configuration below: +Edit `data/conf/postfix/extra.cf`: -``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.2.0/24 ``` -### Permitting IPv6 hosts +Run `docker-compose restart postfix-mailcow` to apply your new settings. -The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: +### IPv6 hosts/subnets + +Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be placed in brackets `[]` with the netmask appended. + +To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` +Run `docker-compose restart postfix-mailcow` to apply your new settings. + !!! Info -Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") +More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From 045ab389e8f86941f67558fa453020a6b849a923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:36:07 +0200 Subject: [PATCH 167/220] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index ee574290c..e5e7427cd 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -84,10 +84,11 @@ Here are some tools you can use to verify your DNS configuration: ## Misc ### Optional DMARC Statistics -If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -98,11 +99,12 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Dmarcian](https://dmarcian.com/) !!! Tip -The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. -### Email Test for SPF, DKIM and DMARC: +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. -To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: +### Email test for SPF, DKIM and DMARC: + +To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following: ``` ========================================================== @@ -119,8 +121,10 @@ Details: ========================================================== .... ``` -The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + +The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From ac2de9f82a02010feeaee127edc6b4bda0212190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 13:13:58 +0200 Subject: [PATCH 168/220] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 55abdee92..cc66f79b2 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -32,7 +32,15 @@ MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backu ``` #### Cronjob -You can call the backupscript regularly using a cronjob. Normally cron informs you about the result of each backup operation by e-mail. If you want cron to create an email only in case of an error, you can use the following snippet in `/etc/cron.daily/mailcow-backup` for example. If necessary the paths must be modified. + +You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: + +```5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` + +Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). + +This following script may be placed in `/etc/cron.daily/mailcow-backup` - do not forget to mark it as executable via `chmod +x`: ``` #!/bin/sh From 41f08f7b21a885552f65dbeced00b9086389d002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 13:14:39 +0200 Subject: [PATCH 169/220] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index cc66f79b2..9fb976e58 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -1,5 +1,7 @@ ### Backup -#### backup_and_restore.sh + +#### Manual + You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. Please do not copy this script to another location. From d15912a28fa59acca0bc611696e06d0e1d03d579 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:28:57 +0200 Subject: [PATCH 170/220] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 801371e14..1e8c34eb7 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -7,7 +7,7 @@ If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. ## Unauthenticated relaying !!! Warning -Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. + Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. ### IPv4 hosts/subnets @@ -34,4 +34,4 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 Run `docker-compose restart postfix-mailcow` to apply your new settings. !!! Info -More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). + More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From 07a3e13d8820fbf1d92ff073ae1783bd4b993fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:29:32 +0200 Subject: [PATCH 171/220] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 1e8c34eb7..5d65083af 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -27,7 +27,9 @@ Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be place To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: -``` data/conf/postfix/extra.cf +Edit `data/conf/postfix/extra.cf`: + +``` mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` From 3725c094a70534a7e6eb6830be53234fcfd14b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:31:56 +0200 Subject: [PATCH 172/220] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 5d65083af..aea044b9e 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -7,7 +7,7 @@ If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. ## Unauthenticated relaying !!! Warning - Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. + Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. ### IPv4 hosts/subnets @@ -36,4 +36,4 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 Run `docker-compose restart postfix-mailcow` to apply your new settings. !!! Info - More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). + More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From ecc7eb24280bbe5b2b78bfad94792554607e339d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 22:57:42 +0200 Subject: [PATCH 173/220] Update u_e-nginx.md --- docs/u_e-nginx.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 9743b6e55..9581dd9b6 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -6,10 +6,17 @@ nano data/conf/nginx/my_custom_site.conf A good template to begin with: -``` hl_lines="9" +``` hl_lines="16" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; @@ -31,10 +38,17 @@ server { Another example with a reverse proxy configuration: -``` hl_lines="9 21" +``` hl_lines="16 28" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; From 5172d22b88d3e96e509d1e59d09d863518b15e24 Mon Sep 17 00:00:00 2001 From: xBytez Date: Wed, 5 May 2021 22:59:08 +0200 Subject: [PATCH 174/220] Fix cronjob formatting --- docs/b_n_r_backup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 9fb976e58..271a7b94e 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -37,7 +37,8 @@ MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backu You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: -```5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` +5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 ``` Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). From 04cfc3dc2a592fc415e24eb3f3400d4110ef6c70 Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Thu, 6 May 2021 22:45:28 +0200 Subject: [PATCH 175/220] Switch client information from cookies to session storage --- docs/clients.js | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/docs/clients.js b/docs/clients.js index cc6cf1257..78b4365f5 100644 --- a/docs/clients.js +++ b/docs/clients.js @@ -1,7 +1,7 @@ if (window.location.href.indexOf('/client/') >= 0) { window.window.addEventListener('load', function () { function setCookie(name, value) { - document.cookie = encodeURIComponent(name) + "=" + encodeURIComponent(value) + "; path=/"; + sessionStorage.setItem(name, value); } function getParameterByName(name) { @@ -39,18 +39,7 @@ if (window.location.href.indexOf('/client/') >= 0) { if (window.location.href.indexOf('/client') >= 0) { window.window.addEventListener('load', function () { function getCookie(cn) { - var fixedcn = encodeURIComponent(cn); - var cs = document.cookie.split(';'); - for (var i = 0; i < cs.length; i++) { - var c = cs[i]; - while (c.charAt(0) == ' ') { - c = c.substring(1); - } - if (c.indexOf(fixedcn + "=") == 0) { - return decodeURIComponent(c.substring(cn.length + 1, c.length)); - } - } - return ""; + return sessionStorage.getItem(cn); } /* Hide variable fields if no values are available */ From dddc905a031203c736924dc7d5e6c3164e14b285 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 7 May 2021 18:17:59 +0200 Subject: [PATCH 176/220] Update mkdocs-material to 7.1.4 and pin modules to tagged releases --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index e924c2c3b..d704c127e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments==2.9.0 mkdocs-redirects + pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index bbc5b1471..a9d1b166c 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material pygments==2.9.0 mkdocs-redirects +pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From e4248056689a5646cd0354b7673f40cd5b7ff033 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Mon, 10 May 2021 18:46:41 +0200 Subject: [PATCH 177/220] [GH-Actions] Update github-pages-deploy-action to 4.1.2 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index d704c127e..058df2a12 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.1 + uses: JamesIves/github-pages-deploy-action@4.1.2 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 2718f0490e3b47bb0ee92f20bf861834cff28bac Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Fri, 14 May 2021 09:28:46 +0200 Subject: [PATCH 178/220] fix a small typo in the xmpp FAQ --- docs/u_e-xmpp-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index ee6f3c7a4..eef2d45b3 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -68,7 +68,7 @@ No, they will vanish: - **How many client sessions can be open at the same time?** -10 sessions are allowed per session. +10 sessions are allowed per user. ``` shaper_rules: From 4f1862ed951004984d5be618d29c50a93b5e4da2 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 23 May 2021 22:52:28 +0200 Subject: [PATCH 179/220] [GH-Actions] Update github-pages-deploy-action to 4.1.3 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 058df2a12..391b26026 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.2 + uses: JamesIves/github-pages-deploy-action@4.1.3 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 0dd67c47c7044a213b47dc2af404ae3fab331e7d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 23 May 2021 22:53:17 +0200 Subject: [PATCH 180/220] Update mkdocs-material to 7.1.5 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 391b26026..6043970d4 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index a9d1b166c..128e342eb 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 2c91c41695bfa469c925262bf6a194165dcda53c Mon Sep 17 00:00:00 2001 From: Jan Kiesewetter <3628035+t3easy@users.noreply.github.com> Date: Tue, 25 May 2021 08:50:46 +0200 Subject: [PATCH 181/220] Update Traefik example - Define code block as Yaml - Use env HTTP_PORT to get the port Trafik should use - Use the default example `websecure` entrypoint like in Traefik examples --- docs/firststeps-rp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index d33d03a0b..4b4b0a06d 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -185,7 +185,7 @@ For this we'll have to set `SKIP_LETS_ENCRYPT=y` on our `mailcow.conf`, and run Then we'll create a `docker-compose.override.yml` file in order to override the main `docker-compose.yml` found in your mailcow root folder. -``` +```yaml version: '2.1' services: @@ -204,10 +204,10 @@ services: - traefik.http.routers.moo.tls.certresolver=le # Creates a service called "moo" for the container, and specifies which internal port of the container # should traefik route the incoming data to. - - traefik.http.services.moo.loadbalancer.server.port=80 + - traefik.http.services.moo.loadbalancer.server.port=${HTTP_PORT} # Specifies which entrypoint (external port) should traefik listen to, for this container. # websecure being port 443, check the traefik.toml file liked above. - - traefik.http.routers.moo.entrypoints=secure + - traefik.http.routers.moo.entrypoints=websecure # Make sure traefik uses the web network, not the mailcowdockerized_mailcow-network - traefik.docker.network=web From 40cf3267b483b91c3c2f9c42b9c77582778a36ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 26 May 2021 15:26:59 +0200 Subject: [PATCH 182/220] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index dd2a99b18..bde36cfb8 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -2,9 +2,9 @@ Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.9/roundcubemail-1.4.9-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.9 rc +mv roundcubemail-1.4.11 rc # Change permissions chown -R root: rc/ ``` From 04be45b253f2bddddfe0eb4ac4ce4051bb45c92f Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 28 May 2021 11:11:32 +0200 Subject: [PATCH 183/220] custom css --- docs/u_e-mailcow_ui-css.md | 3 +++ mkdocs.yml | 1 + 2 files changed, 4 insertions(+) create mode 100644 docs/u_e-mailcow_ui-css.md diff --git a/docs/u_e-mailcow_ui-css.md b/docs/u_e-mailcow_ui-css.md new file mode 100644 index 000000000..77a23f5bb --- /dev/null +++ b/docs/u_e-mailcow_ui-css.md @@ -0,0 +1,3 @@ +For custom overrides of specific elements via CSS, use `data/web/css/build/0081-custom-mailcow.css`. + +The file is excluded from tracking and persists over updates. diff --git a/mkdocs.yml b/mkdocs.yml index 666fbc45d..65a3b113a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,6 +65,7 @@ nav: - 'Manual/Guides/Examples': - 'mailcow UI': - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'CSS overrides': 'u_e-mailcow_ui-css.md' - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - 'Pushover': 'u_e-mailcow_ui-pushover.md' - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' From 4a47fb6e34922aa71a0adf6e23fc3d8466ea6c6a Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 30 May 2021 17:37:15 +0200 Subject: [PATCH 184/220] Update mkdocs-material to 7.1.6 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 6043970d4..eb09a5867 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 128e342eb..df9faf0dc 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8c3102945a8a66f8c5e88b20e3a4ebc846e2d7e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 1 Jun 2021 12:12:37 +0200 Subject: [PATCH 185/220] Update firststeps-logging.md --- docs/firststeps-logging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-logging.md b/docs/firststeps-logging.md index 2f12c33fb..56f8d0b7a 100644 --- a/docs/firststeps-logging.md +++ b/docs/firststeps-logging.md @@ -39,7 +39,7 @@ services: logging: driver: "gelf" options: - gelf-address: "udp://graylog:12201" + gelf-address: "udp://graylog:12201" ``` Another example for **Syslog**: From 4e8c17d5439d46a3ad627d08a9363724a8ea2df4 Mon Sep 17 00:00:00 2001 From: Maximilian Leith Date: Fri, 4 Jun 2021 10:54:47 +0200 Subject: [PATCH 186/220] updated browsers that support U2F --- docs/u_e-mailcow_ui-tfa.md | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 4e694e071..9a0ce1da6 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -1,10 +1,10 @@ -So far three methods for *Two-Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP +So far three methods for _Two-Factor Authentication_ are implemented: U2F, Yubi OTP, and TOTP -- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. -- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). -- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. -- U2F and Yubi OTP support multiple keys per user. -- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. +- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. +- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). +- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- U2F and Yubi OTP support multiple keys per user. +- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. @@ -19,6 +19,23 @@ The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are ### U2F +To use U2F, the browser must support this standard. + +The following desktop browsers support this authentication type: + +- Edge (>=79) +- Firefox (>=47, enabled by default since version 67) +- Chrome (>=41) +- Safari (>=13) +- Opera (40, >=42, not 41) + +The following mobile browsers support this authentication type: + +- Safari on iOS (>=13.3) +- Firefox on Android (>=68) + +Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/) + Only Google Chrome (+derivatives) and Opera support U2F authentication to this day natively. Since version 67 Mozilla Firefox can handle U2F natively. ([Source](https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox)) From 24fb085b6bf3b3a20a6d69487e847ede5ce6fee2 Mon Sep 17 00:00:00 2001 From: Maximilian Leith Date: Fri, 4 Jun 2021 10:57:59 +0200 Subject: [PATCH 187/220] removed old parts of the U2F section --- docs/u_e-mailcow_ui-tfa.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 9a0ce1da6..58e25c61f 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -36,9 +36,6 @@ The following mobile browsers support this authentication type: Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/) -Only Google Chrome (+derivatives) and Opera support U2F authentication to this day natively. -Since version 67 Mozilla Firefox can handle U2F natively. ([Source](https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox)) - U2F works without an internet connection. ### TOTP From 61aee88b41a81edc6b79c989640a9373f29789fd Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 5 Jun 2021 19:43:34 +0200 Subject: [PATCH 188/220] [GH-Actions][pages] Update github-pages-deploy-action to 4.1.4 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index eb09a5867..9aaf95413 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.3 + uses: JamesIves/github-pages-deploy-action@4.1.4 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 6892e0a1f75ee112b86f6527ffd606e1c78a5d36 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 6 Jun 2021 16:13:30 +0200 Subject: [PATCH 189/220] [GH-Actions][pages] Update mkdocs-material to 7.1.7 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 9aaf95413..cdf77fc0e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index df9faf0dc..6befcbeb1 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 173f6890722f236e3e1cf7aa050a12277d6416ad Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 12 Jun 2021 21:20:12 +0200 Subject: [PATCH 190/220] [GH-Actions][pages] Update mkdocs-material to 7.1.8 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index cdf77fc0e..f6ecefd96 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 6befcbeb1..001361d7b 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From d3a5778d69a6cbc289907185b3b6422a010af365 Mon Sep 17 00:00:00 2001 From: Daniel Lo Nigro Date: Sun, 13 Jun 2021 16:52:17 -0700 Subject: [PATCH 191/220] Small tweaks to prerequisite-dns.md --- docs/prerequisite-dns.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index e5e7427cd..f5886e69c 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -90,7 +90,7 @@ If you are interested in statistics, you can additionally register with some of !!! Tip It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. -It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. +It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools available, but only a small few of the many choices. - [Postmaster Tool](https://gmail.com/postmaster) - [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) @@ -100,7 +100,7 @@ It is worth mentioning, that the following suggestions are not a comprehensive l !!! Tip -These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure you read the provider's documentation from the service you choose as this process may vary. ### Email test for SPF, DKIM and DMARC: @@ -127,4 +127,4 @@ The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname, the domain name, and the Top Level Domain (**TLD** for short). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the TLD `email`. From 835757a9319a5bbf564719dd6fff67a2e4d0e14b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 18 Jun 2021 11:01:15 +0200 Subject: [PATCH 192/220] Update i_u_m_install.md --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index ddb7d28f6..444cb558b 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -3,7 +3,7 @@ **We do not recommend** CentOS 8 anymore. -You need Docker and Docker Compose. +You need Docker (a version >= `20.10.2` is required) and Docker Compose. **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). From 932887c4e09a4863850cd6d0e11f7ce469c387a2 Mon Sep 17 00:00:00 2001 From: Marc Samendinger Date: Mon, 21 Jun 2021 20:55:52 +0200 Subject: [PATCH 193/220] Update link to Solr Solr has become a Apache Software Foundation Top Level Project (TLP) on 17 February 2021. This means it moved from being a sub of lucene http://lucene.apache.org/solr/ to a new website. See https://web.archive.org/web/20210424020503/https://solr.apache.org/news.html#apache-solr-becomes-an-apache-tlp --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index c54fb769d..ef76ed5ef 100644 --- a/docs/index.md +++ b/docs/index.md @@ -78,7 +78,7 @@ Each container represents a single application. - [Redis](https://redis.io/) - [Rspamd](https://www.rspamd.com/) - [SOGo](https://sogo.nu/) -- [Solr](http://lucene.apache.org/solr/) (optional) +- [Solr](https://solr.apache.org/) (optional) - [Unbound](https://unbound.net/) - A Watchdog to provide basic monitoring From dd03205eb6dbdb5093744ffba1dfeae93ac4df3f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 25 Jun 2021 18:03:21 +0200 Subject: [PATCH 194/220] [GH-Actions][pages] Update mkdocs-material to 7.1.9 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f6ecefd96..159e6f6f1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 001361d7b..5ca3a161e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 6061ecc595182203d338872777600e8a3f005a54 Mon Sep 17 00:00:00 2001 From: Sascha Moser <28950736+xopez@users.noreply.github.com> Date: Mon, 28 Jun 2021 04:03:42 +0200 Subject: [PATCH 195/220] Normalize DNS to lowercase --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index f5886e69c..c0659d55a 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -60,7 +60,7 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ _autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN TXT "path=/SOGo/dav/" -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. (your ${MAILCOW_HOSTNAME}) +_carddavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _carddavs._tcp IN TXT "path=/SOGo/dav/" _imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME}) _imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME}) From bae054e799fcefab525fd98c4a5d8982ce38403f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Wed, 30 Jun 2021 18:00:08 +0200 Subject: [PATCH 196/220] Remove mentions of XMPP --- docs/client/client-gajim_xmpp_client.md | 1 - docs/firststeps-rp.md | 10 +-- docs/index.md | 5 +- docs/prerequisite-system.md | 3 - docs/u_e-xmpp-enable.md | 98 ------------------------- docs/u_e-xmpp-faq.md | 76 ------------------- mkdocs.yml | 4 - 7 files changed, 4 insertions(+), 193 deletions(-) delete mode 100644 docs/client/client-gajim_xmpp_client.md delete mode 100644 docs/u_e-xmpp-enable.md delete mode 100644 docs/u_e-xmpp-faq.md diff --git a/docs/client/client-gajim_xmpp_client.md b/docs/client/client-gajim_xmpp_client.md deleted file mode 100644 index 85e6ff194..000000000 --- a/docs/client/client-gajim_xmpp_client.md +++ /dev/null @@ -1 +0,0 @@ -# WIP diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index d33d03a0b..d3ef9ba9b 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -48,13 +48,11 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work **Take care of highlighted lines.** -``` apache hl_lines="2 5 6 12 13 19 22 23 26 27 28 29 34 35" +``` apache hl_lines="2 10 11 17 22 23 24 25 30 31" ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* - ServerAlias xmpp_prefix_if_any.domain - ServerAlias *.xmpp_prefix_if_any.domain RewriteEngine on RewriteCond %{HTTPS} off @@ -70,8 +68,6 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* - ServerAlias xmpp_prefix_if_any.domain - ServerAlias *.xmpp_prefix_if_any.domain # You should proxy to a plain HTTP session to offload SSL processing ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000 @@ -106,13 +102,13 @@ Let's Encrypt will follow our rewrite, certificate requests will work fine. server { listen 80 default_server; listen [::]:80 default_server; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem; ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem; diff --git a/docs/index.md b/docs/index.md index ef76ed5ef..d8b09f192 100644 --- a/docs/index.md +++ b/docs/index.md @@ -67,7 +67,6 @@ Each container represents a single application. - [ACME](https://letsencrypt.org/) - [ClamAV](https://www.clamav.net/) (optional) - [Dovecot](https://www.dovecot.org/) -- [ejabberd](https://www.ejabberd.im/) - [MariaDB](https://mariadb.org/) - [Memcached](https://www.memcached.org/) - [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) @@ -94,6 +93,4 @@ Each container represents a single application. - sogo-web-vol-1 - solr-vol-1 - vmail-index-vol-1 -- vmail-vol-1 -- xmpp-upload-vol-1 -- xmpp-vol-1 +- vmail-vol-1 \ No newline at end of file diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 8ece0257c..6c5df19f3 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -70,9 +70,6 @@ If you have a firewall in front of mailcow, please make sure that these ports ar | Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | | Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | | HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | -| XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | -| XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | -| XMPP (upload) | TCP | 5443 | ejabberd-mailcow | `${XMPP_HTTPS_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md deleted file mode 100644 index 3d4dc0adf..000000000 --- a/docs/u_e-xmpp-enable.md +++ /dev/null @@ -1,98 +0,0 @@ -XMPP is provided by ejabberd, which describes itself as robust, scalable and extensible XMPP Server. - -So first of all, thanks to ejabberd and its contributers! - -## Enable XMPP in mailcow - -To enable XMPP for a domain, you need to edit the given domain in mailcow UI: - -![Screen1](https://i.imgur.com/oLyHBke.png) - -The chosen prefix will be used to derive your XMPP login. - -A prefix **xmpp_prefix** for the mailbox user `cowboy@develcow.de` would equal to the JID `cowboy@xmpp_prefix.develcow.de`. - -!!! info - The login passwords for mail and XMPP are the same. XMPP users are authenticated against mailcow. - -Before enabling XMPP for a domain, you should create two CNAME records in DNS: - -``` -# CNAMES -# Name Type Value -xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) -*.xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) -``` - -These two CNAMEs are essential for acquiring a certificate. Please **do not** add "xmpp_prefix.domain.tld" as name to `ADDITIONAL_SAN`. - -Make sure your CNAMEs are correct. Enable XMPP for your domain now. - -If you enabled XMPP first and then added your DNS records there is no need to worry. You will just need to wait for ejabberd to automatically acquire the certificates or -simply restart ejabberd-mailcow to trigger the process immediately: `docker-compose restart ejabberd-mailcow`. - -Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI where you will find two more SRV records: - -![Screen2](https://i.imgur.com/IxlUZ7y.png) - -``` -# SRV records -# Name Type Value -_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) -_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) -``` - -There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. - -## ACL - -A domain administrator can be given the right to toggle XMPP access for domains and mailboxes, promoting users to XMPP administrators (WIP) and to change the prefix: - -![Screen3](https://i.imgur.com/OxKuDFU.png) - -## Verify certificates - -Once everything is setup, make sure ejabberd was able to acquire certificates: - -If you see a message similar to... - -``` -ejabberd-mailcow_1 | 2021-02-13 14:40:19.507956+01:00 [error] Failed to request certificate for im.example.org, pubsub.im.example.org and 3 more hosts: Challenge failed for domain conference.im.example.org: ACME server reported: DNS problem: NXDOMAIN looking up A for conference.im.example.org - check that a DNS record exists for this domain (error type: dns) -``` - -...you may need to recheck your DNS configuration or restart ejabberd-mailcow to restart the process in case of slow DNS propagation. - -Opening `https://xmpp_prefix.domain.tld:5443/upload` should point you to a 404 page with a valid certificate. - -## Why can't we use no prefix? - -It does not matter which server name we point our SRV to, Jabber will always rely on the domain given in a JID. We would need to acquire a certificate for the SLD `domain.tld`, which hardly anyone wants to point to its mail system. - -We are sorry for this circumstance. As soon as we implemented Servercows DNS API, this may be reconsidered. - -## My reverse proxy does not work anymore - -If your reverse proxy is configured to point to a site like `webmail.domain.tld` **which mailcow is not aware of** (as in MAILCOW_HOSTNAME does **not** match `webmail.domain.tld`), you may now be redirected to the default ejabberd Nginx site. - -That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. - -### Method 1 - -A more simple approach is defining `ADDITIONAL_SERVER_NAMES` in `mailcow.conf`: - -``` -ADDITIONAL_SERVER_NAMES=webmail.domain.tld -``` - -Run `docker-compose up -d` to apply. - -### Method 2 - -In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): - -``` -proxy_set_header Host MAILCOW_HOSTNAME; -# Instead of proxy_set_header Host $http_host; -``` - -Now you can use whatever name you like, as long mailcow receives a known "Host" header. diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md deleted file mode 100644 index eef2d45b3..000000000 --- a/docs/u_e-xmpp-faq.md +++ /dev/null @@ -1,76 +0,0 @@ -## FAQ - -Please find the most frequently asked questions with their corresponding configuration in `data/conf/ejabberd/ejabberd.yml` (if any). - -- **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** - -No, there is not. But you don't need one either. - -The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started (but open unconnected ports). - -As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. - -ejabberd is **very** light on resources, you may want to give it a try. - -- **Are messages stored on the server?** - -Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: - -``` - mod_mam: - clear_archive_on_room_destroy: true - default: never - compress_xml: true - request_activates_archiving: true -``` - -- **Are uploaded files stored on the server?** - -Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. - -The retention policy saves them for 30 days: - -``` - mod_http_upload_quota: - max_days: 30 -``` - -- **Are messages stored when a JID is offline?** - -Yes, up to 1000 messages are stored for "normal" users and administrators: - -``` -shaper_rules: - max_user_offline_messages: - 1000: admin - 1000: all -``` - -- **Are messages written in group chats stored?** - -No, messages are not stored: - -``` - mod_muc: - default_room_options: - mam: false -``` - -- **Are group chats persistent when the last participant leaves?** - -No, they will vanish: - -``` - mod_muc: - default_room_options: - persistent: false -``` - -- **How many client sessions can be open at the same time?** - -10 sessions are allowed per user. - -``` -shaper_rules: - max_user_sessions: 10 -``` diff --git a/mkdocs.yml b/mkdocs.yml index 65a3b113a..6f64f5853 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -99,9 +99,6 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': - - 'FAQ': 'u_e-xmpp-faq.md' - - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' @@ -114,7 +111,6 @@ nav: - 'Android': 'client/client-android.md' - 'Apple macOS / iOS': 'client/client-apple.md' - 'eM Client': 'client/client-emclient.md' - - 'Gajim XMPP client': 'client/client-gajim_xmpp_client.md' - 'KDE Kontact': 'client/client-kontact.md' - 'Microsoft Outlook': 'client/client-outlook.md' - 'Mozilla Thunderbird': 'client/client-thunderbird.md' From d7289022613cbef5e9464e20692f986f4c811e31 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 4 Jul 2021 17:14:05 +0200 Subject: [PATCH 197/220] Update debug-reset_pw.md Related to https://github.com/mailcow/mailcow-dockerized/pull/4162 --- docs/debug-reset_pw.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index 149d73124..485ca877a 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -1,6 +1,6 @@ ## mailcow Admin Account -Reset mailcow admin to `admin:moohoo`. Older mailcow: dockerized installations may find `mailcow-reset-admin.sh` in their mailcow root directory (mailcow_path). +Resets the mailcow admin account to a random password. Older mailcow: dockerized installations may find the `mailcow-reset-admin.sh` script in their mailcow root directory (mailcow_path). ``` cd mailcow_path From 340d34556e2439fdde735fef4e034ac727dd45c1 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Jul 2021 15:33:11 +0200 Subject: [PATCH 198/220] [GH-Actions][pages] Update mkdocs-material to 7.1.10 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 159e6f6f1..f539edc2d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 5ca3a161e..e30f2e930 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 20ba3392626ebe8e7fdb5e60130d61b61f4a0cc0 Mon Sep 17 00:00:00 2001 From: cybernet Date: Sun, 18 Jul 2021 12:21:01 +0100 Subject: [PATCH 199/220] one liner --- docs/i_u_m_install.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 444cb558b..764f462cc 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -13,8 +13,7 @@ Quick installation for most operation systems: ``` curl -sSL https://get.docker.com/ | CHANNEL=stable sh # After the installation process is finished, you may need to enable the service and make sure it is started (e.g. CentOS 7) -systemctl enable docker.service -systemctl start docker.service +systemctl enable --now docker ``` - Docker-Compose From 901d00554cf5b56a6c6df110256789437985fbc9 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 18 Jul 2021 19:21:23 +0200 Subject: [PATCH 200/220] [GH-Actions][pages] Update mkdocs-material to 7.1.11 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f539edc2d..7b3ac61fb 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index e30f2e930..75f507540 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 88a240885a4ce6bbae072bd3dd35bbabd062dcbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 19 Jul 2021 09:39:43 +0200 Subject: [PATCH 201/220] Update u_e-nginx.md --- docs/u_e-nginx.md | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 9581dd9b6..b82081aea 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -1,11 +1,19 @@ +## SSL + +Please see [Advanced SSL](https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/) and explicitly check `ADDITIONAL_SERVER_NAMES` for SSL configuration. + +Please do not add ADDITIONAL_SERVER_NAMES when you plan to use a different web root. + +## New site + To create persistent (over updates) sites hosted by mailcow: dockerized, a new site configuration must be placed inside `data/conf/nginx/`: +A good template to begin with: + ``` nano data/conf/nginx/my_custom_site.conf ``` -A good template to begin with: - ``` hl_lines="16" server { ssl_certificate /etc/ssl/mail/cert.pem; @@ -19,15 +27,20 @@ server { ssl_session_tickets off; index index.php index.html; client_max_body_size 0; + # Location: data/web root /web; + # Location: data/web/mysite.com + #root /web/mysite.com include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name mysite.example.org; server_tokens off; + # This allows acme to be validated even with a different web root location ^~ /.well-known/acme-challenge/ { - allow all; default_type "text/plain"; + rewrite /.well-known/acme-challenge/(.*) /$1 break; + root /web/.well-known/acme-challenge/; } if ($scheme = http) { @@ -36,8 +49,14 @@ server { } ``` +## New site with proxy to a remote location + Another example with a reverse proxy configuration: +``` +nano data/conf/nginx/my_custom_site.conf +``` + ``` hl_lines="16 28" server { ssl_certificate /etc/ssl/mail/cert.pem; @@ -77,8 +96,9 @@ server { } ``` +## Config expansion in mailcows Nginx -The filename is not important, as long as the filename carries a .conf extension. +The filename used for a new site is not important, as long as the filename carries a .conf extension. It is also possible to extend the configuration of the default file `site.conf` file: @@ -86,7 +106,7 @@ It is also possible to extend the configuration of the default file `site.conf` nano data/conf/nginx/site.my_content.custom ``` -This filename does not need to have a ".conf" extension, but follows the pattern `site.*.custom`, where `*` is a custom name. +This filename does not need to have a ".conf" extension but follows the pattern `site.*.custom`, where `*` is a custom name. If PHP is to be included in a custom site, please use the PHP-FPM listener on phpfpm:9002 or create a new listener in `data/conf/phpfpm/php-fpm.d/pools.conf`. @@ -96,3 +116,4 @@ Restart Nginx (and PHP-FPM, if a new listener was created): docker-compose restart nginx-mailcow docker-compose restart php-fpm-mailcow ``` + From cd0f49780c16aae712b5614ad09bb723c335167e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 21 Jul 2021 15:36:39 +0200 Subject: [PATCH 202/220] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 271a7b94e..60e6c301e 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -72,3 +72,26 @@ if [ $RESULT -ne 0 ] cat "$OUT" fi ``` + +# Backup strategy with rsync and mailcow backup script + +Create the destination directory for mailcows helper script: +``` +mkdir -p /external_share/backups/backup_script +``` + +Create cronjobs: +``` +25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /external_share/backups/mailcow-dockerized +40 2 * * * rsync -aH --delete /var/lib/docker/volumes /external_share/backups/var_lib_docker_volumes +5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/external_share/backups/backup_script /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +# If you want to, use the acl util to backup permissions of some/all folders/files: getfacl -Rn /path +``` + +On the destination (in this case `/external_share/backups`) you may want to have snapshot capabilities (ZFS, Btrfs etc.). Snapshot daily and keep for n days for a consistent backup. +Do **not** rsync to a Samba share, you need to keep the correct permissions! + +To restore you'd simply need to run rsync the other way round and restart Docker to re-read the volumes. Run `docker-compose pull` and `docker-compose up -d`. + +If you are lucky Redis and MariaDB can automatically fix the inconsistent databases (if they _are_ inconsistent). +In case of a corrupted database you'd need to use the helper script to restore the inconsistent elements. If a restore fails, try to extract the backups and copy the files back manually. Keep the file permissions! From 4971da683d97a38294c1e0e28985127ff88f076c Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 24 Jul 2021 22:40:26 +0200 Subject: [PATCH 203/220] [GH-Actions][pages] Update mkdocs-material to 7.2.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7b3ac61fb..dcbbcaf7d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 75f507540..4c1e7650e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 99f68615239c15c2c753f8704ef07305c1111a80 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 25 Jul 2021 22:08:37 +0200 Subject: [PATCH 204/220] [GH-Actions][pages] Update mkdocs-material to 7.2.1 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index dcbbcaf7d..4ea2d63eb 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 4c1e7650e..57be3bf5a 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8a66d36c7c8d39de1cf969d5881e3d59db0e5ee0 Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Fri, 30 Jul 2021 23:17:14 +0100 Subject: [PATCH 205/220] Updated indentation of YAML file --- mkdocs.yml | 216 ++++++++++++++++++++++++++--------------------------- 1 file changed, 108 insertions(+), 108 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6f64f5853..27e14debf 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -20,113 +20,113 @@ markdown_extensions: - pymdownx.extra - footnotes nav: -- 'Information & Support': 'index.md' -- 'Prerequisites': - - 'Prepare your system': 'prerequisite-system.md' - - 'DNS setup': 'prerequisite-dns.md' -- 'Installation, Update & Migration': - - 'Installation': 'i_u_m_install.md' - - 'Update': 'i_u_m_update.md' - - 'Migration': 'i_u_m_migration.md' - - 'Deinstallation': 'i_u_m_deinstall.md' -- 'Post Installation Tasks': - - 'Advanced SSL': 'firststeps-ssl.md' - - 'Disable IPv6': 'firststeps-disable_ipv6.md' - - 'IP bindings': 'firststeps-ip_bindings.md' - - 'Local MTA on Docker host': 'firststeps-local_mta.md' - - 'Logging': 'firststeps-logging.md' - - 'Relayhosts': 'firststeps-relayhost.md' - - 'Reverse Proxy': 'firststeps-rp.md' - - 'Rspamd UI': 'firststeps-rspamd_ui.md' - - 'SNAT': 'firststeps-snat.md' - - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Add trusted networks': 'firststeps-trust_networks.md' -- 'Models': - - 'ACL': 'model-acl.md' - - 'Password hashing': 'model-passwd.md' - - 'Sender and receiver model': 'model-sender_rcv.md' -- 'General Troubleshooting': - - 'Introduction': debug.md - - 'Logs': 'debug-logs.md' - - 'Attach a Container': 'debug-attach_service.md' - - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' - - 'Remove Persistent Data': 'debug-rm_volumes.md' - - 'Common Problems': 'debug-common_problems.md' - - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - - 'Reset TLS certificates': 'debug-reset-tls.md' -- 'Backup & Restore': - - 'Helper script': - - 'Backup': 'b_n_r_backup.md' - - 'Restore': 'b_n_r_restore.md' - - 'Manually': - - 'Maildir': 'u_e-backup_restore-maildir.md' - - 'MySQL': 'u_e-backup_restore-mysql.md' -- 'Manual/Guides/Examples': - - 'mailcow UI': - - 'Configuration': 'u_e-mailcow_ui-config.md' - - 'CSS overrides': 'u_e-mailcow_ui-css.md' - - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - - 'Pushover': 'u_e-mailcow_ui-pushover.md' - - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' - - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - - 'Tagging': 'u_e-mailcow_ui-tagging.md' - - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - - 'WebAuthn / FIDO2': 'u_e-fido2.md' - - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' - - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' - - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' - - 'Unbound': - - 'Using an external DNS service': 'u_e-unbound-fwd.md' - - 'Dovecot': - - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - - 'FTS (Solr)': 'u_e-dovecot-fts.md' - - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' - - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' - - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' - - 'Public folders': 'u_e-dovecot-public_folder.md' - - 'Static master user': 'u_e-dovecot-static_master.md' - - 'Nginx': - - 'Custom sites': 'u_e-nginx.md' - - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - - 'Redis': 'u_e-redis.md' - - 'Rspamd': 'u_e-rspamd.md' - - 'SOGo': 'u_e-sogo.md' - - 'Docker': - - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' - - 'Why unbound?': 'u_e-why_unbound.md' - - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' -- 'Client Configuration': - - 'Overview': 'client.md' - - 'Android': 'client/client-android.md' - - 'Apple macOS / iOS': 'client/client-apple.md' - - 'eM Client': 'client/client-emclient.md' - - 'KDE Kontact': 'client/client-kontact.md' - - 'Microsoft Outlook': 'client/client-outlook.md' - - 'Mozilla Thunderbird': 'client/client-thunderbird.md' - - 'Windows Mail': 'client/client-windows.md' - - 'Windows Phone': 'client/client-windowsphone.md' - - 'Manual configuration': 'client/client-manual.md' -- 'Third party apps': - - 'Borgmatic Backup': 'third_party-borgmatic.md' - - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - - 'Gitea': 'third_party-gitea.md' - - 'Gogs': 'third_party-gogs.md' - - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - - 'Nextcloud': 'third_party-nextcloud.md' - - 'Portainer': 'third_party-portainer.md' - - 'Roundcube': 'third_party-roundcube.md' - - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' + - 'Information & Support': 'index.md' + - 'Prerequisites': + - 'Prepare your system': 'prerequisite-system.md' + - 'DNS setup': 'prerequisite-dns.md' + - 'Installation, Update & Migration': + - 'Installation': 'i_u_m_install.md' + - 'Update': 'i_u_m_update.md' + - 'Migration': 'i_u_m_migration.md' + - 'Deinstallation': 'i_u_m_deinstall.md' + - 'Post Installation Tasks': + - 'Advanced SSL': 'firststeps-ssl.md' + - 'Disable IPv6': 'firststeps-disable_ipv6.md' + - 'IP bindings': 'firststeps-ip_bindings.md' + - 'Local MTA on Docker host': 'firststeps-local_mta.md' + - 'Logging': 'firststeps-logging.md' + - 'Relayhosts': 'firststeps-relayhost.md' + - 'Reverse Proxy': 'firststeps-rp.md' + - 'Rspamd UI': 'firststeps-rspamd_ui.md' + - 'SNAT': 'firststeps-snat.md' + - 'Sync job migration': 'firststeps-sync_jobs_migration.md' + - 'Add trusted networks': 'firststeps-trust_networks.md' + - 'Models': + - 'ACL': 'model-acl.md' + - 'Password hashing': 'model-passwd.md' + - 'Sender and receiver model': 'model-sender_rcv.md' + - 'General Troubleshooting': + - 'Introduction': debug.md + - 'Logs': 'debug-logs.md' + - 'Attach a Container': 'debug-attach_service.md' + - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' + - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' + - 'Remove Persistent Data': 'debug-rm_volumes.md' + - 'Common Problems': 'debug-common_problems.md' + - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Reset TLS certificates': 'debug-reset-tls.md' + - 'Backup & Restore': + - 'Helper script': + - 'Backup': 'b_n_r_backup.md' + - 'Restore': 'b_n_r_restore.md' + - 'Manually': + - 'Maildir': 'u_e-backup_restore-maildir.md' + - 'MySQL': 'u_e-backup_restore-mysql.md' + - 'Manual/Guides/Examples': + - 'mailcow UI': + - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'CSS overrides': 'u_e-mailcow_ui-css.md' + - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' + - 'Pushover': 'u_e-mailcow_ui-pushover.md' + - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' + - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' + - 'Tagging': 'u_e-mailcow_ui-tagging.md' + - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' + - 'Postfix': + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' + - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' + - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' + - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' + - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' + - 'Unbound': + - 'Using an external DNS service': 'u_e-unbound-fwd.md' + - 'Dovecot': + - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' + - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' + - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' + - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' + - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' + - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' + - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' + - 'Public folders': 'u_e-dovecot-public_folder.md' + - 'Static master user': 'u_e-dovecot-static_master.md' + - 'Nginx': + - 'Custom sites': 'u_e-nginx.md' + - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' + - 'Redis': 'u_e-redis.md' + - 'Rspamd': 'u_e-rspamd.md' + - 'SOGo': 'u_e-sogo.md' + - 'Docker': + - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' + - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' + - 'Why unbound?': 'u_e-why_unbound.md' + - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' + - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' + - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' + - 'Client Configuration': + - 'Overview': 'client.md' + - 'Android': 'client/client-android.md' + - 'Apple macOS / iOS': 'client/client-apple.md' + - 'eM Client': 'client/client-emclient.md' + - 'KDE Kontact': 'client/client-kontact.md' + - 'Microsoft Outlook': 'client/client-outlook.md' + - 'Mozilla Thunderbird': 'client/client-thunderbird.md' + - 'Windows Mail': 'client/client-windows.md' + - 'Windows Phone': 'client/client-windowsphone.md' + - 'Manual configuration': 'client/client-manual.md' + - 'Third party apps': + - 'Borgmatic Backup': 'third_party-borgmatic.md' + - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' + - 'Gitea': 'third_party-gitea.md' + - 'Gogs': 'third_party-gogs.md' + - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' + - 'Nextcloud': 'third_party-nextcloud.md' + - 'Portainer': 'third_party-portainer.md' + - 'Roundcube': 'third_party-roundcube.md' + - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: logo: 'images/logo.svg' extra: @@ -144,4 +144,4 @@ plugins: - search - redirects: redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From 32dcb9a0b6d2617c3369558d4922541cee25c931 Mon Sep 17 00:00:00 2001 From: Alexander Holzapfel Date: Sat, 31 Jul 2021 00:20:53 +0200 Subject: [PATCH 206/220] Add pre_ and post_update_hook doc (#284) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add pre_ and post_update_hook doc * Add hint for hook to update page * Update u_e-update-hooks.md Co-authored-by: André Peters Co-authored-by: Patrik Kernstock --- docs/i_u_m_update.md | 4 ++++ docs/u_e-update-hooks.md | 10 ++++++++++ mkdocs.yml | 25 +++++++++++++------------ 3 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 docs/u_e-update-hooks.md diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index d20b76676..f3be9af67 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -66,6 +66,10 @@ docker-compose pull docker-compose up -d ``` +### Hooks + +You can hook into the update mechanism by adding scripts called `pre_commit_hook.sh` and `post_commit_hook.sh` to your mailcows root directory. See [this](./u_e-update-hooks.md) for more details. + ## Footnotes - There is no release cycle regarding updates. diff --git a/docs/u_e-update-hooks.md b/docs/u_e-update-hooks.md new file mode 100644 index 000000000..1d61bbe1c --- /dev/null +++ b/docs/u_e-update-hooks.md @@ -0,0 +1,10 @@ +It is possible to add pre- and post-update-hooks to the `update.sh` script that upgrades your whole mailcow installation. + +To do so, just add the corresponding bash script into your mailcows root directory: + +* `pre_update_hook.sh` for commands that should run before the update +* `post_uddate_hook.sh` for commands that should run after the update is completed + +Keep in mind that `pre_update_hook.sh` runs every time you call `update.sh` and `post_update_hook.sh` will only run if the update was successful and the script doesn't have to be re-run. + +The scripts will be run by bash, an interpreter (e.g. `#!/bin/bash`) as well as an execute permission flag ("+x") are not required. diff --git a/mkdocs.yml b/mkdocs.yml index 27e14debf..518e0872a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,6 +1,6 @@ -site_name: 'mailcow: dockerized documentation' +site_name: "mailcow: dockerized documentation" site_url: https://mailcow.github.io/mailcow-dockerized-docs/ -copyright: 'Copyright © 2021 André Peters' +copyright: "Copyright © 2021 André Peters" repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ @@ -46,7 +46,7 @@ nav: - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' - 'General Troubleshooting': - - 'Introduction': debug.md + - 'Introduction': 'debug.md' - 'Logs': 'debug-logs.md' - 'Attach a Container': 'debug-attach_service.md' - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' @@ -106,6 +106,7 @@ nav: - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' + - "Run scripts before and after updates": "u_e-update-hooks.md" - 'Client Configuration': - 'Overview': 'client.md' - 'Android': 'client/client-android.md' @@ -128,20 +129,20 @@ nav: - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: - logo: 'images/logo.svg' + logo: "images/logo.svg" extra: palette: - primary: 'indigo' - accent: 'orange' + primary: "indigo" + accent: "orange" social: - icon: fontawesome/solid/globe-americas link: https://mailcow.email - icon: fontawesome/brands/github-alt link: https://github.com/mailcow -extra_css: [extra.css] -extra_javascript: [clients.js] +extra_css: [ extra.css ] +extra_javascript: [ clients.js ] plugins: - - search - - redirects: - redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' + - search + - redirects: + redirect_maps: + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From ac219b0c649d9b7f2af2a82d55e8fbdb3af09227 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 31 Jul 2021 15:38:51 +0200 Subject: [PATCH 207/220] [GH-Actions][pages] Update mkdocs-material to 7.2.2 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4ea2d63eb..5b97014ff 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 57be3bf5a..d66bd5612 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 07b2a2f7622aa9f3c09ae0c185bcd9c0af0d811f Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 10 Aug 2021 19:12:20 +0200 Subject: [PATCH 208/220] [GH-Actions][pages] Update mkdocs-material to 7.2.3 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 5b97014ff..b5e0a3906 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index d66bd5612..270b3dff1 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 105a5ce495312c029bb4b788a49235ff1e1ae327 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 10 Aug 2021 19:14:43 +0200 Subject: [PATCH 209/220] Fix logo and favicon --- docs/images/favicon.png | Bin 6856 -> 10281 bytes mkdocs.yml | 11 ++++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/images/favicon.png b/docs/images/favicon.png index 6390041d6004a1dd9c8793ba386ce2a2662d940d..fe6156078be3bb14a2035117bdbc5d116c0cf470 100644 GIT binary patch literal 10281 zcmY*fRa9I}kjCA0(4d3EFgOJF;4VQ17~CbeySuvucM0xp0TP0Ha0n7K=<=U^*?s8h z(|vCB?UH-Dy6THkRhGp>BSnLOfx(oQlTv^0GyiKSNbeLdNJahL!Mdu;O2E{8CqI54 zAXthkiNnA&CZIo?Aij@Lo#gaf-p4n?JywR>Mjb4xMSzOIrZ^$sl55W$JQSVgy|I-4Nx7RI|E$|t_ z0|*WpxK-UA-+6zCmZkgCgl0Qz7@aW*Rxt3M5bg3avnUST- z;5m>K#RI$OX-~53s@YmN9rSO=_uJP=wGC?gYL;cW4`frT(&n+G47}h*!2!|`zJOoK zn#R9u5R8}X;kNkf5WfWc!4PfzgV^WR8noyqE7tW|g1?68bmPD`*P)-I_RiH$iV_yq z=iYQx6BppOh12`EWBE`guJF((&1bb}4{AB)Lt9cTHBwxFX792N!nQ9#E3L~={V+Geq z3XccqL}6>yYawRo5;n+48Y?)n+CJV`tN!IB%HQmI*Xe84bNpgq-!F$ib6_LaX^+EJ zH-fpBv(w(i(4Ge?%uJcqg9X&oe25g2A$VexTYBnlgNox;U`cKqprZ2EM_;2$-ls~9 zkkjEng3+IBXupe_kEr{A71(Dmcv1qj1u8 zB*Rl?=Z*0Jet!0XbWix^>dSYAl3qt@*jVP%nepMtK%P|Ql<}YKUOwXrPYXU*BRaRyKOr-|X)lr|3*s zvX&0f7Op_zmN$;LN(8(_PII~Z_6B+7jcQhnk4yDHFiWD^6E()L661#P@3xs2tQUg2 zwaG}uuPG%fkm!zW4zc*M0xP=zN`35-HmZhC1A@V7*t#WFoqwq>AHNvr7QZ!6tJ`5$f|T1H zv!ikcDoIkZXOCgf<%`yNe~$h3uZYvj_}79Bf|3w+C~p4GogZHdqZxY)Kv>~RcyY#h zM>JsYyt;1KDKqUXp5e!ph|C$d9KWlAH^H7Afk?s(XavDbIf0zkXqnuK=MJ!lXbX^!{0x-=HtyNPCV3U$KsDVJN&Hck>n(?>P^mK{WCtpVP$%rQG zi^3KV`s8N0#BrC@->k9*?(x-Mi-brCE{Mdyn+dZG$RYw?rsxDF5$M3XW1z*^0kk=U zNuIX>!Fe*`yYo8{!B8qs8<$c*(cj4*hjGo-J4cE*6c~hC5{F!WwyanxWMZPx@YU&K zqLbOAB~z5}$4e!&kkGplVq{@4*ZV4JE~iI=j8<{;`;GRKi1}A~MK`b9$Qjf+Dz0cU z9Gp1&RAotnf$sx^7GUZ>xxbNurjEUNM@jBpUeMP~erfV$f=1);EiK(u+#Qv4OcSGQ zOh~YCh^5%e(>n*@_{gl5s(6@yX46?hId&~g-JZZIC?m_{4r$KYu=ThAxxkwwYih|fuQpI+43q$t`2x`dXw(%byY78}x&#!_nXe6- z4W&4rw#pm3dxJf!Ibd~ushZ*i_r!FOo!%19-4!+J za-P$kaPitlC5+Ht#gZy07=p7=RgqbAc4Ac~wYbl?klvAkd&DrO%Llz99-EI0bxHAc zPNqzT4BlK5UX0JH8%WnCYNZ8=spwO3pPffzyqjh%ap~xQ*1($F zT)S~ag|L=Voy2S$c&4kQMDlw)btCD7ux9xC|M9%Eq~+T(-*oc6Kx+44!YM8g4Qp9|{?$tl zEYtW%#mMvuV>0ksb$a={>WtI$2fIDM^R}F~(;LSKp_x~(gT&#F;qZw^@Ls2ydkB9J z&+!6s_7^gkzB@pvjix*>JH#ADHZDrMhI4atgER6tl4&A7xH}XX$7>(vx!Es$H@dUY zLtxLmcSiz4vjjjZ#DZ@m8#eHBd&tTBiClaB$EVaO#QQ~SF*T$$(_wYsAN`TaZ?0jNO;T|QI z1d*3VS2+BlL zQ;UHZ%X_x-c_%>ya?zM>|7`qG!@m8?^VTb3`Dt9DZWZ;-e`d0(gS#CglqxnM!HV3Y zeQ);~YhLWU$ru~L-=e0w4bWCNE(Vf#rpGSBTS6I|lEVsrzA`_<8f=K@Bohm((l;d3 zKqZ8_okhB%{l(Lz+49`aAPgPfNhdlG1AdD4D*NIS!C?FGCq ztVlzEfzz+)+a}wTe+7UbvUg>VfYju_HIe_QMsHgc&y~kGR|_j<9QTtn?+gx&lriFe6<;N$0#wqs$a6ago}h@uy&_WohgHSvU3XxZM@h=6OG` z8U}tUlsLCOzzRVG|BQ}g1oC0DyKI`5BH3Pjn-AT_}rNK!V#(2H5FQn0|c&f{1P+xh)K!=|MpK^ z!^`U@foFl;$83Y-43v(J(L8U~ny=Rx`YzB{D|LW=lk0LcZpEX|oCt%|rtH&%*uioBhtPDY1N+>U-Zq0hTF-tOPtW{ zzHr8EB)UN3auz|@V&S;aNH^W-2swZOAIWSg`Wo|u0)ADqC;Yh;rwOd|G++S|@RNF9 zlLp)+zur%ox3d7&kw2(+$ini9!p1~<6q)rTXB0UT;rm0~tD+U+xLsqaEI^M|yYd`C zOV^h!oXiEYg^c6>3H^sabENQ+z~DyzKmAx1^?P-=r^Hq9aVbh5WyyhBESu{ie1?Lw zyK@h5sc_$5)T!jAEjR?FZb;A=k(0f{F4syDO#<7UBOir?4C}X@#kMEV~L|||5*Jnw2eTsB<5VAz>^(*0@VT<*&XG-bu39|6=SJ{d| z1b&k`i=vX{4+;q}iNn|&4tem-^CyapxUt#t;G~EsnJdaFwwyMEtt>1gM2UQ3QAu+Q zm!{_J^ew@O`&!Jmj=NHv8-$EE)h`xULwpNU2-O@Pw@-RoFZU+!Q7{9r^j6B?*U>w20K%$WCDm)NQ*W3(}G6!2iib)}XjtCA($l($k3+a5eK;tl?w)dRGT#S|(vY2Lj zr#1af@yK8|Im#wKp#vgCc=@cvjPNcxqeP9H z{$7}&!AbPbqzj6OlDwt7lL%%vC#8^^ht!agGihH6EUr<2`#fn z@!^y%s9&~Z`w0#GZJZQjXWFd_mm`Rd(&7>s8$WV{?Ec%?GX4*)((g>Y(>61(TCR{> z>goQ~`} zUOb0Oa2%x{|AqGsijQCp)l~ zSS0)AZ}z>IVNHqJmbC|dUMk?{`m`ZA9yTOIcgupjo)q~;*Q=b2ayBw0_g63s5KD&{ z8U}hdWpK^UcEWDu^g3-nf=BX449nMKnI}V&3wj6cy}J>v8bE;vG2GqYvV-XHZi0O# zq?dSTbE?RmLSBTHa^qj-(BIj43Xy4p#bD`p;qfPw748|MwB`g3uImqO&m(ZZX`a$^ zIhACd|mH$(Wzr~tlX=r|h6^#c?^CWU!gYt|H0W}x1+Hw>y;iP(vy{T?17~|$YJ2{^DitWjx!y<~ zfrz5SKW=$UH(M`Aj{x51FZa8#E;HumRu(C|F@HHIj8ho#B4Jvf-Lqp-shY_aApbTk z)9zw-K1aMO4vJ(tSo5I0ptTtLh^;lCR+Kdy<zDYPAuEu_DU6Z1Mek3dkrAOl!Uw0?CAxVUIn|3oWl1^nf-tJ;Yki$XJ zA$K^NBLDMIgj#$r4tG{_xI0}v-{?#Ajb^Su=u}lDArXI`lpzED3j(jt0Qe**_bm+W z6g;eT9fF`O^k%Vu;MHK#w^f6?_eDRX%!TJvi;i+CgHogxhd7u)TQ#l(5n!@p`>Mt+RJNLAibK1!1Rg2SkQLWX zkN#DMv57r&Ox@T&NXxo9rT8Ie$1BE~0=pMI(mmf|3_xAsbIvMU+S}ix=EDnav6_!~mDrI0Get7yYXTq#n8r^7acBe^66` zaJnv}y*s;88R-$lZd}eAab#gc1PP7|q+SqM&g0@1RB}$!<*eP=Aco~B1AHq&NKdZv zo*b{~*OdNi_>n<@GThzwY}yN zk`Xq`Y|~U9Quh->iO$sa?H~W6sWSVQc{i4dDOe%;TXtf9djL}d!Y??ko?^lx1Spmn z@Q3T7OH_a7vP~O%jbL!f@3o%R71Ed24#{Ni40H~VuedBLXj97KkP*GT*gq8TJTQb% z@=!~2A$pL4o!jUZA_d6<2p#(7Td0q}>d~^T3g9AR;quL<+_EDZL6S;S>c1mPzMybE zghZgqII~XMKNI{7Qs8@~#|1Pw{Ur{f4tPHVZ-4*#XZ~QJarSc!+A|gOE>xMEI&m2Y zMU4t6;1V>z7$3G0=kk>jMd&3y3C`7{87pY#F8OfL(`BvRc=ZT#$^Coy=iZq15~PdA z`faSc?$b6nhl|e`OCB>JEIH-k4YN|`b1JpGETgE86dHDf7oy=7LMO=g#3?+io}cYhw{+>upW)98_#srqq zq;}eN(aCM|>+($<_2=R?N79jhywveG;{Jyp==?Gh$;_(ZALt4 z8PqeS?5awd5L~+dPBHx0-Hk8))@yOOXa1Mmu>=6T!krUsvs`1Ycp(kWgGZC|K$MSP zGVtQG_ZUQjhLOv6uCC$?66E$L2!a$0r+m01R87CvTxpyzCr)36&o{$=Y;R4_C{GVfBPRpgF-ZYa8QSO}qJ=B4ah?o>bsht+9~e|?dx z=8wp>={}K?cPF@~6=>6copAAV|FKVT%_eAeSbQurLyP zN&LiDVhP}1(EPYabtH1hpcGO+-!=hLL*?&1bPVhzZ?b?4yTa`Lh-uT@)t2K78Zv`_C5a%&5#ADxo26UO-D`W4mHEX`y%J^LBg3b3SZ;0WkVGS z2Bk{I6?q@N=FJP2eK+U?;_5PRt)UvM2_Q%RpdAmdmQsX_T{ zOhm-WB$bidpWS!a21DQZ^SPTu{cZFGG2E`wBkkgn=og6j6oa2j$K2q3kqSG8Q9VrZ z)`h;M)qL)_d?ju*59EAXK}auHi380uqIC+k$CrSI8c*k(qx!oe=@+ah)${WiSYBO= zsd!SKik!bR+0;mX7Y?qk-uVWL8|tOm7@dYuherLLBlwSf@u{PAJ_9LPeM?NVTpkH- zhJ)!B;h|xI6!k!aKgNPqbV;L}Z?xz{f@0$P! zXB{T{xuaiwU-<)mKWsZWtJ!BMP-E-^W}Ae~XXI})WbhYTy0ek^d3O=SFD7;zLmOqz zDh<+g@KkIESY8w=)(#l!n|%c8yR2)7*?bB0czASh8jV9O@`w2m?-`(CwY@WsXZt|4 z2wWXQjO*tiF=*GJAKr3ve=SrRUEp@fr7kEG69|o4a?y}%4tBw2^u zY}}0NOlP==lm5)?y!}iob6E-BXvDxoDV*(g?lmrD2HIK2L!SV&uPI;d<1m|%AJ%Vj zFZ0>uFENOo**^<6C42o?;n?iZfNyFHT}NG2Ffz^}u;_+y%yEalhLZoyk~T_6J?IHu zH`rfGj}dp?k&tL?AIulk>HK&|^c5QoJP%OhkM`y?d(xuPEj(6O)Ipiv|6Rt|4$Z29 zQtQOq0m!}@Zqww?O3;Bm`uWH1d2x5`h#e<7wSTv@Vflrn>gK7&g8=dyPq8_;j7xtq0__}Wi3Kg8uN?J{ck|NC$GI(4|MILFhdYhQ5vIk1B zK5e6_xfJvrz5KI(e;eW$2nVsp=o&Da8aMfHger2so3q%+E)$;1%S}eWi3vM<^4xu& zg(bNl6I&^Fvo-iVew`AINLbqc;Rzh-D|(63+`G z{jSXK-)n(ZSU_^=YQuViE^+fzc%}Vh%zd9o`@BD}0?uW!nsR3)kOoIH?GQPz z1b6tM;dJrJl_g4@W6>#BH#3`d4yZ)RCH*uzo*0R)Lsic5S%BJhkMVu4$oO%^?SNiq zXcgHgO5b&A7|1I(qK3x^uw!&+ufj`^p!2q<3Zd6fWbj}OO9DQF$QvSmdxUwN5aXi_ zY@QB9U{5DyJQ{HhC&gHR$nNnZfs;X~vhHqg##?-$J;;iEyOdANxa4Chd}MFCUKx0k zSz?nx`P_wUbfHGn_0?!|ZL7_0cpW;uwo5WjZ_ltH7XjlMJztU$ZhAln)I=F*TT^xm z`N8ki5BvnXh!6KpO5Dx#s#e1a<8l~06?PiF5KNEL8%kXs6M!Pw4^*Pgn?ssCMv;>z zEmSPtLC4%cQA>VT+EIZ!;ejnnqS7%yog>SHLg>1|EsItd9Hfcz7(U$bzd1<0YM^>&YOU=z}SaLUl(yrmhFlp&^baGSY9k6v+PBx><*}M0A zf(#}JhuwV113K;A2vor!`Nq@y)Hhgm-4UrabvAKKf0R)(P->zG#2c6T3c4CM`W}L8 zvE#rlC63{lkuxIQP&ry*O<-$9gv%ZGU_8mq>~@Av5>4Sl4J}rG&r-!PU(KKFxB#OWhYr2z5PcwqO z9%`~m!Qe9EYN{$6cB`HrV}fNV zYN(=l8-}P@A5o-C;)3B}+!8BCTY#4ls+l>(9kd*Kj=;K$lQ)UQT23eT{Vwmmz>+5f z{_PL_d9C?LS>`v0`mKpk`u%7{a!{o;w~(>fqdx_TK^FKKEvj*!(+V4+bycb}1oi}c zZxDPx*E7BUsvkPzM;jOkglu$CJxu79*|)6>HUi>Z}#uzw&qu|)Gy zH6Uv{>o2u> zoqJBAi0jfcCPr#cnz6ziWvE}Jn1}Pb&lxpHFl|!$6>eDZ z)VD10Ut-n*YdaIal)`QJvU5U<^C3G@VLS?k2N@J1-nnbD(N)jc7)Ub2wYn@Uqx31C z@ZV#Y6HFp?O{->Kt!mumuGo}Typl4fr%m{yA5-Bq*lC(o@9Jp;L&CJUYllPDB>!w4 zmfx6%*^Hbn$>-A6b9>sr)mSRg-ndZXv!H8R5oGPYJR~{zAq`36JI3qCIw^!1`nJsIuS>o7^MYU zjgd>IV+Zzn#3Vs15B_dTx;RJn(UZcb<{h?>XxDO|^!Y$BQ>H{`LBE9XZ<0))GX< z#Z~{nLB6YMH}Lws*w=1f%bmT8YsS-)jsu?8hY*&n^5Lsjo1h=f&k||ZZ(+1uY#we_ z&1*O{(09*q0DdWM2wnFeF@a`5BGA;b)M&(>zw<3T<1C$+So{kksd-1005(&uI4=e0Fhro z0PO|x!}>{yGx~;LxT$O696DudYWox0k-(8pjSMT!2=TVKXP<^3-wDU zNDfH~_wR>Sl+nu-RcZ}gwOy6G&KwhKLD(rWrUZwvvWtJ|#m-Np8FtaSJxZDJ3`h5K zI4Og`Q%qgA)u)qEul1)YQFGEB*D7EznVVQzhZD?$IfK@6==3mA{q3@f7n7Wuo{WE6lU=u?pf2Mt#<`kpAkbJ_&mjS(_@EU@nFrKi5 zeI2z+f)-)E5kI&vCVxB;!}0Qnf4#<(^0BRCNLZJ5M%oxM-NQS2BL?)0rS4{dfl*R) zFC(9p8p)bgnkif|TEbOqcFYC;3=qoYS^F3Zvpbox#gKJJq&B%38!1Nb&a#R&ZXpGZ-V*LBD zx%A5Ces+PnjzmwC-L$R5Cl9M@!gYbmH@0b>1syPpG~STgxbwWMZ0sBNCBT68@N@4i z*3FY?1EL|^UhuX`JSxOg7Jy_-{K4Q z|3El8W6;lF8o@U6n1qx2ju+KzW13$<3#zH6ODK!>{GzEU=>g$^Ti&X$Od`XqABbxs zQ?}y8RQ>*wzQ+~pp(`nKH$7(RfG&N1uKCA-`a7i$i4!w3)Ll6nV!m;a5g935j-T$Z znRf>U3ssc9oQ|=g61W7s6iED#-Gy^0{`zj_fV6)`9kxdZAoB}UcV05EdwJ#!L@<_8TWhf_um9D zIK7cXsV|*nHLg)rV_Z-Jr$6V5PS)?;J|Xosj39CQ+~@j?rF7;@zk`kz0=(xtkssF+ zCXdv=ihUJRwbYH!ZbVN1TG-*_`(-=V{C)1E>#J`9!n|{u#k(C=K|wf=?>IXc`dIWu zNzD8CnCvPH&aRQ?Cbs+GGHQ`UJi3XJul;OH<{d}SYCM!%Lo_?Y>;2Km)lTKLJaef7 z;iHcH;P@zB)cS*lE3V7(y*PJssH6X3Xc-**Hp76Y3=tKr+JmQ{l5eLfsbnToaZ6!-_tnJ?sZ*rup@ol*PZ zN)D^aM}8&bXFibFi#XUhW?NXWBdMRYg++fp|7rMBsig?1dML7mz_9ExZWYLme==M(S%uS9vLX+dwI7mRomUjEW>Z|=*J{=Z={%K z=6X9}RUNu&8KES%mwV2IZ!xhx?adURh9*+;TM6ADyIa{9k%?{z7xbaBh!aJ+K!j(n zhw%;jY?SlZej~9cm6fMjZ{Y)e_(2cUA_9or)LTwg=mOPe5G=}57z}IFf4*EmZ8+Cm zsfk=FicXzy7by#1q77c_oJ$YznHrswDhF#}Nl$0j7T!WzjLxjYSV+z*L}xc@KuZr% zG111ler$i4*RxqEAEA6RCha8{SzXeYLG&5C6ss>G!kdY{q7jg}rkGk5mz-g~e3|c6 zcP}I7TMw*J{Pox_Z;z+vhA*#%ydh{9Jcw$Vb47*!70Ovz??G@&I%6BMF6(gK9hjAi z-3d_^-aIsq#YZ+(%9~}xlg+vwQFgId&kcI_y@QR7M+PcX&W4P4>`&aCIOEhg;O&{~ z?<<@#hTqbEw^A_ALMwZMjgJ?LV#RrI_McWOcS^EXp?_0jQL$pfkjSR5vVdQ*Qd6|w zU06lUxSyYOt*b~IULasS*=JiF_hzGR;O5Ap0s9-m;bO=UZ$sYL(M@{?0KavSX_M!a?S8A`pK#5HpqaHGDhLb@i#-x$rn9BhP-F9XZ{*!?^9Pr8hLL8 z{ux|7+ zoQbR0P`B7R&6zc!uJ`o7G^w?yPw^&p2*w7Ekfx$VHkmTg^a_o7OdsC8-0%Y0OmBin zn}}z%ll@fGA|D4)Bz=Qun8nJ`ab1kQlRsC5&na=-OY~dlJh7#k=wP++aV@7jYTNf| zFwv~lEe4hM;_~s?7c`H(XT1V~ZsSwiS*?8Ry^W8ZucY-OT~vV=1<#bTJeByX(9DR_ z(q!z-knbr5h{TC1R;v%6@GY#IVSc;pN#?y*yhoc;0R(O!E4m(|ix+z>pYT2H!~3v- zYZMlSTqsmA_r;i4Obe?q7@B(ev8Yd;2XZM))c<17s>5*$*?_ntWX%mmv{9ZPAhZ^1 z%B$4l0C(R>dln@9n^k|n9qWFBd7HYP4(fM0Z|0aGDN2Ez1-;s95b8bNOC&hO=6)6f zm3ut30fv7?-~Fv7`ODWF?Rs+T&wS5QFy@Ndv7Cd+E;ucf0`R_xtm%aK{@HEcq{!a# zu|^lGc+H0@2*NgG_RRYRJG*XwzbG!9#?Yswjy2(136|XVwnG=$5F03lf~o9ZBWbtx z*Sa#WcY~aK7l%`6CNbLcrUL1VPf~IVP?I8PsI3KGN!!b%m8k67TkChwj*UwT;n_In-LsS$RVA&CTORsb$p~E+nYrJ%z!^lrvsl% zpZ}4iJ@1eZX*LDO_VxK=oU>6}?EBA1&mZ!jis@l%8+QIuVFDRVXxPGMC^V{f*9=r5 zN17P9P*EDWjoGOVQYk*mQ`}8r3x);+olb;va8{{WH#M6xT3$tN-|TH&e)YCJ_M9lT z<=R>6p9AzV8w|8sKDB*)UX!gPxatoVg@9o20U^e zb@DtjegTyZsdq!R9A|EwPPgr~bs9H0j2)eyp1M&M&dy#Z8nFX-7mVTQlK-%2L>}59 zypeIP5puygWT%u2=(`-&$oSUt7+dEtsTJuuPe zfSuz#JmXarRH#ePf5=Wed?^q5`V6E}9DM(b!NEkl zem&FgY^-`xPL%@`nksf{tp`z`;yXzC#nNg(M zuo9L!+QMoMQiRm`Yshg8S-eD!FfnjGS#`3rsQ8mE7v?%LhM+Ot#AWs}oT`&5fUtc{b=8xoIi(oFM9k(Tpf3mTX zI^ec%HmRdcQ-mMqX^yHkV$QSjKSOzJ@hSJ$|1idC@!J?i^66j37o5FQ@(_PO^8@Ek ziTYR=ROVevTUby^&_EXiyH}j=%Kh>xCD@o}nT~f^P2Y4)sA@9iODm|Ubi0YMSJS>Zua;I&Htw$`8+U79VzBX+d|E@dro9D6 z*r9ru zEKVX(i$4P%&8IJj@8J&3__aXlG}TCJuyiU<(aLR6==qDn{Rj9ssxA$St(RT-GDb)T z3^_nHR^-I!wGwDxU$&O-#=u=Dj}#rCMFdSO9e_;3#({y8J3?SLXr&ub-cu$Xi!!-}@hmDyg!( zLvaKjTOl2y3G!fAciS$oXVLx!f6(0`wYE@q~mzQ&=lXq ziD7KYMt)C>fL*#>!=RB#=Z92+8GcLGVNF^IfDhGsPqplNz!f);_Arx8i4Y6*Dx+O$ zUs8Fo=u&W$bDt&A6&ps)56w3Zm8a5+QEM#+RYGmmjk$WN&QgyxLYsB8Q)6K72sDjbn}z>V*T3I#>DQ$8w5|lv1cQ-e z5A*Bcn{lnu2&#Y!W%${HL{q%!VXZhOcQdN^9X?}9#Jx6cGWn&9R#y(+MPV#nz!6%A zW15KR>Tq!`w4|!>Xw&|Rz%Yc^b7;Zx;nBY-+f^(z^0MGb6!zE2k&F!;B+y_bDOe4a z3AR9g-F=WW52aQW1VG#RgZEAizfkr``qB{8LoPzO5?sfKvYFeO%YFoNUH==S)jYsGc*%K}T)Q9RG`*nMmf53E)r$uxS(D)}!L8Xxi#o=- ze>Zee9HP3|b+7KMZK>bf=^Uhb%vY1X{kgLdROyd1O_q_t<#3*oVHYmZzgnBkfNWd8 z2tNKux;*u+`lU5Bb`f?OcJTvU!fgGByA?Yy-D8J$N#1D>dBoV>2@wnFbs|`Ja4Q%V z{7rk}V-QS~Ile7grHp2g`v@xbjDBO%bx{x7vA5AO90mRPx@q{{ByVQX`+s?B1OpTa z1p+;}FA8;+m1oYDok#@CR1FSl9@73k?<0iN2Cw_8Hcy`2G~aOgYp&>E)+YO*q_)!Lj`Szu^d<=DqnA*OdE!%4_JxkiS%I zy-q8XG0N1Bp(9uZjopFw+w%a1c9pc6o56bGc$Ow$iJc=Nr*ebEzPSjWZW`+p}}LV95@mmy%CW=bU^SkjTI z_PZT$ZB!5=D{G~Si_{?vvug1-?AOjgOs8$8?x?4%B zD~R8prKyg0iyKH;+cR9)p3^R#;C-t|uJMAtx@64!DmziKBJcRGH?WMkGjf8^g*I&w zYrK`Ch4@&g)!OeY)SJIG;kI?F`|Fd-(^@jEoB5q4(DAWt(v`RB(k;8t35?GCHz|sA z4q!LyKg(V{Qz|X6UIRCuWxne4eU=@>kL)s33XC0uZ-L+XGum0onDEibEA8Y0}QCQcXjsea~}{@$$&8g z)q50PX+8gQkG#%@aCzmnnIkmcw--!QUMP5tRj_9B;lKtV3o8eQ2bs)E7~?*c_Q`O! zq4xzUS<+LeyNp0--_N7`-Tia0-%2v|**|nYkP4;lx(8Ysh5D1pUTreTe@4+&5TcsQ zv8CCt@;l)y>THMiIgQXJq&?(~AqO@0Gd)$mBXD_Nv22%M-gl2QjR=k#$L#t~ zZ!x`7F!;qw8OR*)%m-9&0iCO-~ie+(MAy+`O|JNkP#La}a z*u=bIlO$JmrcM_xa$9#AvWgl8oSuc?E)M*bi(;jrkVb~`hJWEvQhszyjEGwpwL4on z#y1CS#S0r}sFD{R_rxB4#p~S!hc5&yB|G$7Z3 z#{fm|liq7vuXRl=Zh0z+z~Jgd=`7PXn>|h{&N7P=%woE2J#_A2(kRj z-B%me>^9FwdyoO%);_0pL32A<+ifFf+p{ZJm*Lijcv<+p!na(aU(;1Aw)U3;jwaWi zabLJI+={9}8mKz!yq;8jn<|n;1%{FALHrnd&?i1|ppT1O-$YP{az#+{htvSfPBp+P z69?ePz!6I9rhvWbrbvWZ054@MfPES;AamjW2W%4cBS!_1TaBom@{)T9)X|)}*T@xD z;Q0(WfU%^!&m(CvGt&*ah}#Yif$zYnd&$IPHNK!m91vthA#>$i%n+Jk;(%vua}(ly zT(Gc|P7LgWx^!FaoE3S?>mexFg33i&s2W|-4ayn(oG1`haHj|q7r9Qm)Apq5XypZG zIb%QQGdGPsV~A<(c=tE^T;y=gX0ULkh*lrctbK8-RIV_?F|=w8YZWwc;qB|InNgBC zSCFj)hTp!v(Xnc+rv?gopZ0d%8^Gci4!{0q6*#Wtlq`8U4dR-qeRuXv_U+bK>(;cQ0rT#CDSIW{9@aI66ogFr{Ob13jbprIXj5Mp%?Zf{c D)kGR@ diff --git a/mkdocs.yml b/mkdocs.yml index 518e0872a..298ab5976 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -5,7 +5,10 @@ repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ remote_branch: gh-pages -theme: material +theme: + name: material + logo: images/logo.svg + favicon: images/favicon.png markdown_extensions: - codehilite: guess_lang: true @@ -74,7 +77,7 @@ nav: - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' @@ -93,7 +96,7 @@ nav: - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' - 'Public folders': 'u_e-dovecot-public_folder.md' - 'Static master user': 'u_e-dovecot-static_master.md' - - 'Nginx': + - 'Nginx': - 'Custom sites': 'u_e-nginx.md' - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Redis': 'u_e-redis.md' @@ -128,8 +131,6 @@ nav: - 'Portainer': 'third_party-portainer.md' - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' -icon: - logo: "images/logo.svg" extra: palette: primary: "indigo" From 2fd7244b8dfcaa39c8baebd5eabbf06553ef8ba7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 13 Aug 2021 21:55:51 +0200 Subject: [PATCH 210/220] Update firststeps-disable_ipv6.md --- docs/firststeps-disable_ipv6.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/firststeps-disable_ipv6.md b/docs/firststeps-disable_ipv6.md index f522d4d05..3f3480e44 100644 --- a/docs/firststeps-disable_ipv6.md +++ b/docs/firststeps-disable_ipv6.md @@ -38,6 +38,7 @@ version: '2.1' services: ipv6nat-mailcow: + image: bash:latest restart: "no" entrypoint: ["echo", "ipv6nat disabled in compose.override.yml"] ``` From 4696fd35a1664e7f3211ca7a2b6f0974e79164f8 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 15 Aug 2021 18:28:46 +0200 Subject: [PATCH 211/220] [GH-Actions][pages] Update mkdocs-material to 7.2.4 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b5e0a3906..f0c955720 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 270b3dff1..6de2c3fdd 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8e294db53d4138511c30288fdbd91dbd647ad5a8 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 15 Aug 2021 18:29:45 +0200 Subject: [PATCH 212/220] [GH-Actions][pages] Update pygments to 2.10.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f0c955720..665857ee6 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 6de2c3fdd..7ac967bd9 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From be11df7facc55c8aab23e454ee83ab5be19b9ffb Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 16 Aug 2021 12:37:30 +0200 Subject: [PATCH 213/220] Add info about automatic backups --- docs/b_n_r_accidental_deletion.md | 40 +++++++++++++++++++++++++++++++ mkdocs.yml | 2 ++ 2 files changed, 42 insertions(+) create mode 100644 docs/b_n_r_accidental_deletion.md diff --git a/docs/b_n_r_accidental_deletion.md b/docs/b_n_r_accidental_deletion.md new file mode 100644 index 000000000..43b731f21 --- /dev/null +++ b/docs/b_n_r_accidental_deletion.md @@ -0,0 +1,40 @@ +So you deleted a mailbox and have no backups, he? + +If you noticed your mistake within a few hours, you can probably recover the users data. + +### SOGo + +We automatically create daily backups (24h interval starting from running up -d) in `/var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the file named after the user you want to restore to `__MAILCOW_DIRECTORY__/data/conf/sogo`. + +1\. Copy the backup: `cp /var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/restoreme@example.org __MAILCOW_DIRECTORY__/data/conf/sogo` + +2\. Run `docker-compose exec -u sogo sogo-mailcow sogo-tool restore -F ALL /etc/sogo restoreme@example.org` + +Run `sogo-tool` without parameters to check for possible restore options. + +3\. Delete the copied backup by running `rm __MAILCOW_DIRECTORY__/data/conf/sogo` + +4\. Restart SOGo and Memcached: `docker-compose restart sogo-mailcow memcached-mailcow` + +### Mail + +In case of an accidental deletion of a mailbox, you will be able to recover for (by default) 5 days. This depends on the `MAILDIR_GC_TIME` parameter in `mailcow.conf`. + +A deleted mailbox is copied in its encrypted form to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage`. + +The folder inside _garbage follows the structure `[timestamp]_[domain_sanitized][user_sanitized]`, for example `1629109708_exampleorgtest in case of test@example.org deleted on 1629109708. + +To restore make sure you are actually restoring to the same mailcow it was deleted from or you use the same encryption keys in `crypt-vol-1`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the folders from `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage/[timestamp]_[domain_sanitized][user_sanitized]` back to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/[domain]/[user]` and resync the folder and recalc the quota: + +``` +docker-compose exec dovecot-mailcow doveadm force-resync -u restoreme@example.net '*' +docker-compose exec dovecot-mailcow doveadm quota recalc -u restoreme@example.net +``` diff --git a/mkdocs.yml b/mkdocs.yml index 65a3b113a..045cec693 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -62,6 +62,8 @@ nav: - 'Manually': - 'Maildir': 'u_e-backup_restore-maildir.md' - 'MySQL': 'u_e-backup_restore-mysql.md' + - 'Automatic backups' + - 'Recover accidentally deleted data': 'b_n_r_accidental_deletion.md' - 'Manual/Guides/Examples': - 'mailcow UI': - 'Configuration': 'u_e-mailcow_ui-config.md' From d77dd97c90d200e3cf783945a5198fe398cc4ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 20 Aug 2021 08:38:51 +0200 Subject: [PATCH 214/220] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index bde36cfb8..ec2c4e13e 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -1,10 +1,10 @@ -Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`): +Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`): ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5-rc/roundcubemail-1.5-rc-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.11 rc +mv roundcubemail-1.5-rc rc # Change permissions chown -R root: rc/ ``` From 5689d70d1ac0c84d704d35694ae9f9dd737b7b56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 23 Aug 2021 08:12:36 +0200 Subject: [PATCH 215/220] Update i_u_m_install.md --- docs/i_u_m_install.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 764f462cc..cd9469a30 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,8 +1,3 @@ -!!! warning - Make sure you've read ["Prepare Your System"](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-system) before proceeding! - **We do not recommend** CentOS 8 anymore. - - You need Docker (a version >= `20.10.2` is required) and Docker Compose. **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). From 4484abe4e79a2314d4861406bd486376844bb580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 23 Aug 2021 08:12:59 +0200 Subject: [PATCH 216/220] Update prerequisite-system.md --- docs/prerequisite-system.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 6c5df19f3..4880abe48 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -2,7 +2,6 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh !!! warning Do **not** try to install mailcow on a Synology/QNAP device (any NAS), OpenVZ, LXC or other container platforms. KVM, ESX, Hyper-V and other full virtualization platforms are supported. - We **do not** recommend to use CentOS 8 anymore! !!! info - mailcow: dockerized requires [some ports](#default-ports) to be open for incoming connections, so make sure that your firewall is not blocking these. From 3a0c2ec180486518022bbaba45397d04b43d4da0 Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 25 Aug 2021 19:45:06 +0200 Subject: [PATCH 217/220] [GH-Actions][pages] Update mkdocs-material to 7.2.5 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 665857ee6..4a105179e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 7ac967bd9..434fa7178 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From b50c8e046aa1c6c51098d8c36e5e84056f09db59 Mon Sep 17 00:00:00 2001 From: Riccardo Bessone Date: Thu, 26 Aug 2021 08:56:39 +0200 Subject: [PATCH 218/220] Update CardDAv for Roundcube Update CardDav for Roundcube to the latest version for compatibility with PHP 8 --- docs/third_party-roundcube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index ec2c4e13e..0042a2bea 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -105,7 +105,7 @@ $config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = % Download the latest release of [RCMCardDAV](https://github.com/blind-coder/rcmcarddav/) to the Roundcube plugin directory and extract it (here `rc/plugins`): ``` cd data/web/rc/plugins -wget -O - https://github.com/blind-coder/rcmcarddav/releases/download/v3.0.3/carddav-3.0.3.tar.bz2 | tar xfvj - +wget -O - https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz | tar xfvz - chown -R root: carddav/ ``` From 123e49285cf56989e94e49df0264d609e1fdf4e4 Mon Sep 17 00:00:00 2001 From: Riccardo Bessone Date: Thu, 26 Aug 2021 17:38:14 +0200 Subject: [PATCH 219/220] Update CardDAV repository URL Repository URL changed due to namespace change --- docs/third_party-roundcube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 0042a2bea..877c4273a 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -102,7 +102,7 @@ $config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = % ### Integrate CardDAV addressbooks in Roundcube -Download the latest release of [RCMCardDAV](https://github.com/blind-coder/rcmcarddav/) to the Roundcube plugin directory and extract it (here `rc/plugins`): +Download the latest release of [RCMCardDAV](https://github.com/mstilkerich/rcmcarddav) to the Roundcube plugin directory and extract it (here `rc/plugins`): ``` cd data/web/rc/plugins wget -O - https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz | tar xfvz - From 175b1e9e8f492d571489d60bac7cd303dba07816 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 26 Aug 2021 23:08:10 +0200 Subject: [PATCH 220/220] [GH-Actions][pages] Update github-pages-deploy-action to 4.1.5 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4a105179e..60ee15abf 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.4 + uses: JamesIves/github-pages-deploy-action@4.1.5 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy.