From 13ee064707a3b0771b527da3596dab171d7d3395 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 24 Sep 2020 19:44:28 +0300 Subject: [PATCH 001/288] Add DMARC Reporting --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 92e56d69a..86d4f81fe 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -32,6 +32,7 @@ nav: - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' - 'Advanced SSL': 'firststeps-ssl.md' - 'Rspamd UI': 'firststeps-rspamd_ui.md' + - 'DMARC Reporting': 'firststeps-dmarc_reporting.md' - 'Reverse Proxy': 'firststeps-rp.md' - 'SNAT': 'firststeps-snat.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' From 1f8f8ed98b8873838c719b5e26c776bad718f5b9 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 24 Sep 2020 21:49:33 +0300 Subject: [PATCH 002/288] Create firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 53 ++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 docs/firststeps-dmarc_reporting.md diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md new file mode 100644 index 000000000..d6727b48a --- /dev/null +++ b/docs/firststeps-dmarc_reporting.md @@ -0,0 +1,53 @@ +DMARC Reporting done via Rspamd DMARC Module. + +Offical configuration options and documentation can be found here: https://rspamd.com/doc/modules/dmarc.html + +**Important:** +1. Before use config examples from this document please adjust them, change `example.com` and `Example` to your actual data +2. DMARC reporting require additional attention, especially at first days +3. Your reports for all server will be send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, f.e: + - if your `MAILCOW_HOSTNAME=mail.example.com` then Reporting `domain = "example.com";` + - set `email` from same domain also, `email = "noreply-dmarc@example.com";` +4. This optional, but recomended step: create `noreply-dmarc` email user in mailcow to handle bounces. + - Go to mailcow admin UI → Configuration → Mail Setup → Mailboxes → Add mailbox → Create mailbox `noreply-dmarc`, please choose correct domain + - In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, f.e: `noreply` and add action: Discard the message and save filter + - In case you plan to resend a copy of reports to yourself: you need add condition to previous filter example `From is not noreply-dmarc@example.com` + +## Enable DMARC Reports +Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to: +``` +reporting = true; +send_reports = true; +report_settings { + org_name = "Example"; + domain = "example.com"; + email = "noreply-dmarc@example.com"; + from_name = "Example DMARC Report"; + smtp = "postfix"; + smtp_port = 25; + helo = "rspamd"; + retries = 3; + hscan_count = 1500 +} +``` + +## Disable DMARC Reports +To disable reports set `send_reports` to `false` + +## Send a copy reports to yourself +To get copy of own generated reports you can add `additional_address = "noreply-dmarc@pnnsoft.com";` in `report_settings` section. +This useful in case: +- you want to check that your DMARC Reports send correctly, e.g.: check that they signed by DKIM, etc. +- you want to analyze own reports to get statics data, f.e: use with ParseDMARC or other analytic system + +## DMARC Force actions +This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy. +This good from security point, but not allow whitelist broken senders. This up to your choice enable it or not. + +To enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`: +``` +actions { + quarantine = "add_header"; + reject = "reject"; +} +``` From f86aed6d89580ba951e27410b74ef497a05c7b41 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 26 Sep 2020 12:23:14 +0300 Subject: [PATCH 003/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index d6727b48a..cedf5ce6e 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -40,6 +40,11 @@ This useful in case: - you want to check that your DMARC Reports send correctly, e.g.: check that they signed by DKIM, etc. - you want to analyze own reports to get statics data, f.e: use with ParseDMARC or other analytic system +**Important:** + +Future `additional_address_bcc` is broken, lead to not sending reports to `additional_address` even while it `false`. +Do not add this option to `dmarc.conf` till bug https://github.com/rspamd/rspamd/issues/3465 will be resolved and fixed version will be used in mailcow. + ## DMARC Force actions This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy. This good from security point, but not allow whitelist broken senders. This up to your choice enable it or not. From f1fa9b69aacc7c259ce367a62d25695793293187 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 12 Nov 2020 08:52:02 +0100 Subject: [PATCH 004/288] add info about pw schemes --- docs/model-pws.md | 28 ++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 29 insertions(+) create mode 100644 docs/model-pws.md diff --git a/docs/model-pws.md b/docs/model-pws.md new file mode 100644 index 000000000..78c935e93 --- /dev/null +++ b/docs/model-pws.md @@ -0,0 +1,28 @@ +# Fully supported hashing methods + +The most current mailcow fully supports the following hashing methods. +The default hashing method is written in bold: + +- **BLF-CRYPT** +- SSHA256 +- SSHA512 + +The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. + +## Read-only hashing methods + +The following methods are supported **read only**. + +- MD5-CRYPT +- PLAIN-MD5 +- SHA512-CRYPT + +That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. + +The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. + +--- + +> I changed the password hashes in the "mailbox" SQL table and cannot login. + +A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` diff --git a/mkdocs.yml b/mkdocs.yml index ac539bb05..621031721 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -43,6 +43,7 @@ nav: - 'Models': - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' + - 'Password hashing': 'model-passwd.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' From 08283bab355dd0e41787a51c293c2253899a64f7 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 12 Nov 2020 10:20:00 +0100 Subject: [PATCH 005/288] fix url --- docs/model-passwd.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 docs/model-passwd.md diff --git a/docs/model-passwd.md b/docs/model-passwd.md new file mode 100644 index 000000000..78c935e93 --- /dev/null +++ b/docs/model-passwd.md @@ -0,0 +1,28 @@ +# Fully supported hashing methods + +The most current mailcow fully supports the following hashing methods. +The default hashing method is written in bold: + +- **BLF-CRYPT** +- SSHA256 +- SSHA512 + +The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. + +## Read-only hashing methods + +The following methods are supported **read only**. + +- MD5-CRYPT +- PLAIN-MD5 +- SHA512-CRYPT + +That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. + +The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. + +--- + +> I changed the password hashes in the "mailbox" SQL table and cannot login. + +A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` From 961e93f0f8b2fa1d74feacae04e0862f353f311f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 12 Nov 2020 12:40:52 +0100 Subject: [PATCH 006/288] Update model-passwd.md --- docs/model-passwd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 78c935e93..c06642039 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -1,4 +1,4 @@ -# Fully supported hashing methods +## Fully supported hashing methods The most current mailcow fully supports the following hashing methods. The default hashing method is written in bold: From 58c985de7a9c49117c2186c28eb500fca7c8887b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 12 Nov 2020 13:32:48 +0100 Subject: [PATCH 007/288] Update firststeps-disable_ipv6.md --- docs/firststeps-disable_ipv6.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/firststeps-disable_ipv6.md b/docs/firststeps-disable_ipv6.md index 1f0f86abf..f522d4d05 100644 --- a/docs/firststeps-disable_ipv6.md +++ b/docs/firststeps-disable_ipv6.md @@ -72,6 +72,7 @@ Create `data/conf/postfix/extra.cf` and set `smtp_address_preference` to `ipv4`: ``` smtp_address_preference = ipv4 +inet_protocols = ipv4 ``` Restart Postfix: From 9dacef6c9a52f2b2edef32d70de2eb09135abe53 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 14 Nov 2020 19:18:04 +0100 Subject: [PATCH 008/288] Add info about FIDO2/WebAuthn --- docs/model-fido2.md | 15 +++++++++++++++ mkdocs.yml | 1 + 2 files changed, 16 insertions(+) create mode 100644 docs/model-fido2.md diff --git a/docs/model-fido2.md b/docs/model-fido2.md new file mode 100644 index 000000000..49dc78fb8 --- /dev/null +++ b/docs/model-fido2.md @@ -0,0 +1,15 @@ +## How is UV handled in mailcow? + +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). + +## Login and key processing + +mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. + +A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. + +When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. + +## Who can use WebAuthn to login to mailcow? + +As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. diff --git a/mkdocs.yml b/mkdocs.yml index 621031721..f3d977873 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,6 +44,7 @@ nav: - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' + - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' From e7f6252c560da3c2cfe1e9646f3b75af29db725b Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 14 Nov 2020 19:20:00 +0100 Subject: [PATCH 009/288] Order... --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index f3d977873..39c5483f0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -41,9 +41,9 @@ nav: - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - 'IP bindings': 'firststeps-ip_bindings.md' - 'Models': - - 'Sender and receiver model': 'model-sender_rcv.md' - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' + - 'Sender and receiver model': 'model-sender_rcv.md' - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md From 9beceaf2e60791f92b0ef9bf05f404f1c419727e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 14 Nov 2020 19:25:11 +0100 Subject: [PATCH 010/288] Update model-fido2.md --- docs/model-fido2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 49dc78fb8..0aa724510 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). ## Login and key processing From 66dcbf9f6c18a16f69379b17bc5b5d1d6e6ba3c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 15 Nov 2020 08:39:05 +0100 Subject: [PATCH 011/288] Update model-fido2.md --- docs/model-fido2.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 0aa724510..2a42d5a66 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). W ## Login and key processing @@ -13,3 +13,11 @@ When calling the login process, the authenticator is not given any credential ID ## Who can use WebAuthn to login to mailcow? As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. + +## iOS problems + +Please use a desktop computer to register your key with your mailcow account. + +The process was tested using a YubiKey with Chrome on Windows. When registering a new, empty key, you will be prompted for a PIN for the new YubiKey. Once set and confirmed, the credentials are stored on the key. Using it with iOS works flawless now. + +iOS seems not to be able to set a PIN on the device on first use, so please use a desktop computer for this step. From 18abadce8d810ad9dbe18500ddbca61d7aa9f893 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 16 Nov 2020 08:42:35 +0100 Subject: [PATCH 012/288] Update model-fido2.md --- docs/model-fido2.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-fido2.md b/docs/model-fido2.md index 2a42d5a66..8b0f58e86 100644 --- a/docs/model-fido2.md +++ b/docs/model-fido2.md @@ -1,6 +1,6 @@ ## How is UV handled in mailcow? -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). W +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). ## Login and key processing From b76206b5150a4fb0b1ac23847ee34a02fbc85941 Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:13:53 +0100 Subject: [PATCH 013/288] added new section "via Docker" to the "make it automatic" section --- docs/u_e-dovecot-expunge.md | 39 +++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index 2c5f97710..a91eb62bc 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -33,6 +33,8 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai ## Make it automatic +### via the host system cron: + If you want to automate such a task you can create a cron job on your host that calls a script like the one below: ``` @@ -51,3 +53,40 @@ To create a cron job you may execute `crontab -e` and insert something like the # Execute everyday at 04:00 A.M. 0 4 * * * /path/to/your/expunge_mailboxes.sh ``` + +### via Docker (Ofelia) + +If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https://github.com/mcuadros/ofelia) which is a low memory foot print docker job scheduler written in Go. It's quite easy to setup, first of all you need a Ofelia container running on your host (one container works for all other containers). To do so, you can add this to your mailcow docker.override.yml: + +``` + ofelia: + image: mcuadros/ofelia:latest + restart: always + command: daemon --docker + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + network_mode: none +``` + +Ofelia doesn't need any network access, but access to the docker control socket to access the other containers. Once Ofelia is running by either adding it via the docker-compose.override.yml, or you running it otherwise, we can go and add the new job labels to the dovecot-mailcow container. I show here an example where I clean out the trash folder from any mails older then 2 weeks every day at 4 am. + +``` + dovecot-mailcow: + labels: + - "ofelia.enabled=true" + - "ofelia.job-exec.dovecot-expunge-trash.schedule=0 4 * * *" + - "ofelia.job-exec.dovecot-expunge-trash.command=doveadm expunge -A mailbox 'Junk' savedbefore 2w" + - "ofelia.job-exec.dovecot-expunge-trash.tty=false" +``` + +Add those lines to the docker-compose.override.yml of your mailcow or if you modified the dovecot definition already, extend the labels. The first one is clear, turns on Ofelia for this container. Next we have our cron-style time definiton, important here is also that part after ".job-execute." is the individual job name. This is important when you add more jobs to this container. +Those of us who struggle with the cron definitions, i can suggest [crontab guru](https://crontab.guru/) which gives you much more of a gasp on the time string defintion. Next line is the command, which is similar to above to clean out the trash. We don't need to name the container here as that is pointed out by Ofelia by the label already. "tty=false" tells Ofelia we don't need a pseudo-terminal to runs this. + +To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: + +``` +common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, +common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished in "285.032291ms", failed: false, skipped: false, error: none, +``` + +If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. \ No newline at end of file From 17c0c75ca045016c923d1c0187429686f286bf7d Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:55:15 +0100 Subject: [PATCH 014/288] shortend the new section and rewrote it as suggested by @andryyy --- docs/u_e-dovecot-expunge.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index a91eb62bc..ffd7f9782 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -54,11 +54,15 @@ To create a cron job you may execute `crontab -e` and insert something like the 0 4 * * * /path/to/your/expunge_mailboxes.sh ``` -### via Docker (Ofelia) +### via Docker job scheduler -If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https://github.com/mcuadros/ofelia) which is a low memory foot print docker job scheduler written in Go. It's quite easy to setup, first of all you need a Ofelia container running on your host (one container works for all other containers). To do so, you can add this to your mailcow docker.override.yml: +To archive this with a docker job scheduler use this docker-compose.override.yml with your mailcow: ``` +version: '2.1' + + services: + ofelia: image: mcuadros/ofelia:latest restart: always @@ -66,27 +70,24 @@ If you prefer to do it via Docker, you can do it with [mcuadros/ofelia](https:// volumes: - /var/run/docker.sock:/var/run/docker.sock:ro network_mode: none -``` -Ofelia doesn't need any network access, but access to the docker control socket to access the other containers. Once Ofelia is running by either adding it via the docker-compose.override.yml, or you running it otherwise, we can go and add the new job labels to the dovecot-mailcow container. I show here an example where I clean out the trash folder from any mails older then 2 weeks every day at 4 am. - -``` dovecot-mailcow: labels: - "ofelia.enabled=true" - "ofelia.job-exec.dovecot-expunge-trash.schedule=0 4 * * *" - "ofelia.job-exec.dovecot-expunge-trash.command=doveadm expunge -A mailbox 'Junk' savedbefore 2w" - "ofelia.job-exec.dovecot-expunge-trash.tty=false" + ``` -Add those lines to the docker-compose.override.yml of your mailcow or if you modified the dovecot definition already, extend the labels. The first one is clear, turns on Ofelia for this container. Next we have our cron-style time definiton, important here is also that part after ".job-execute." is the individual job name. This is important when you add more jobs to this container. -Those of us who struggle with the cron definitions, i can suggest [crontab guru](https://crontab.guru/) which gives you much more of a gasp on the time string defintion. Next line is the command, which is similar to above to clean out the trash. We don't need to name the container here as that is pointed out by Ofelia by the label already. "tty=false" tells Ofelia we don't need a pseudo-terminal to runs this. - -To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: +The job controller just need access to the docker control socket to be able to emulate the behavior of "exec". Then we add a few label to our dovecot-container to activate the job scheduler and tell him in a cron compatible scheduling format when to run. If you struggle with that schedule string you can use [crontab guru](https://crontab.guru/). +This docker-compose.override.yml deletes all mails older then 2 weeks every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: ``` common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished in "285.032291ms", failed: false, skipped: false, error: none, ``` -If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. \ No newline at end of file +If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. + +In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). \ No newline at end of file From df4bba3abde0f2e11987bf249818d44d91e014f8 Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 19:58:55 +0100 Subject: [PATCH 015/288] made the "Make it" changed I missed earlier --- docs/u_e-dovecot-expunge.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index ffd7f9782..f5db787cd 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -31,7 +31,7 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai !!! info For possible [time spans](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery#section_date_specification) or [search keys](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery#section_search_keys) have a look at [man doveadm-search-query](https://wiki.dovecot.org/Tools/Doveadm/SearchQuery) -## Make it automatic +## Job scheduler ### via the host system cron: From 37ec46ae9ec25d04adfc068bc4418ad9b61cbcbf Mon Sep 17 00:00:00 2001 From: Philipp Beckers Date: Fri, 20 Nov 2020 20:05:20 +0100 Subject: [PATCH 016/288] clearified what gets deleted by the sample docker.override.yml --- docs/u_e-dovecot-expunge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index f5db787cd..d6fc3ac24 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -33,7 +33,7 @@ docker-compose exec dovecot-mailcow doveadm expunge -u 'mailbox@example.com' mai ## Job scheduler -### via the host system cron: +### via the host system cron If you want to automate such a task you can create a cron job on your host that calls a script like the one below: @@ -81,7 +81,7 @@ version: '2.1' ``` The job controller just need access to the docker control socket to be able to emulate the behavior of "exec". Then we add a few label to our dovecot-container to activate the job scheduler and tell him in a cron compatible scheduling format when to run. If you struggle with that schedule string you can use [crontab guru](https://crontab.guru/). -This docker-compose.override.yml deletes all mails older then 2 weeks every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: +This docker-compose.override.yml deletes all mails older then 2 weeks from the "Junk" folder every day at 4 am. To see if things ran proper, you can not only see in your mailbox but also check Ofelia's docker log if it looks something like this: ``` common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Started - doveadm expunge -A mailbox 'Junk' savedbefore 2w, From 107c39f1ef3ab61e2a903ba851f8acfc510e7a55 Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 20 Nov 2020 22:46:47 +0100 Subject: [PATCH 017/288] move webauthn/fido2 --- docs/model-pws.md | 28 ---------------------------- docs/u_e-fido2.md | 15 +++++++++++++++ mkdocs.yml | 2 +- 3 files changed, 16 insertions(+), 29 deletions(-) delete mode 100644 docs/model-pws.md create mode 100644 docs/u_e-fido2.md diff --git a/docs/model-pws.md b/docs/model-pws.md deleted file mode 100644 index 78c935e93..000000000 --- a/docs/model-pws.md +++ /dev/null @@ -1,28 +0,0 @@ -# Fully supported hashing methods - -The most current mailcow fully supports the following hashing methods. -The default hashing method is written in bold: - -- **BLF-CRYPT** -- SSHA256 -- SSHA512 - -The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. - -## Read-only hashing methods - -The following methods are supported **read only**. - -- MD5-CRYPT -- PLAIN-MD5 -- SHA512-CRYPT - -That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. - -The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. - ---- - -> I changed the password hashes in the "mailbox" SQL table and cannot login. - -A "view" needs to be updated. You can trigger this by restarting sogo-mailcow: `docker-compose restart sogo-mailcow` diff --git a/docs/u_e-fido2.md b/docs/u_e-fido2.md new file mode 100644 index 000000000..49dc78fb8 --- /dev/null +++ b/docs/u_e-fido2.md @@ -0,0 +1,15 @@ +## How is UV handled in mailcow? + +The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce UV to allow logins via iOS and NFC (YubiKey). + +## Login and key processing + +mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. + +A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. + +When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. + +## Who can use WebAuthn to login to mailcow? + +As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. diff --git a/mkdocs.yml b/mkdocs.yml index 39c5483f0..704d0f072 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -44,7 +44,6 @@ nav: - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' - - 'WebAuthn / FIDO2': 'model-fido2.md' - 'Debugging & Troubleshooting': - 'Introduction': debug.md - 'Logs': 'debug-logs.md' @@ -70,6 +69,7 @@ nav: - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - 'Tagging': 'u_e-mailcow_ui-tagging.md' - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' From c17b27ddf1a12e59999bc73df5c71c1ba476fbb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 25 Nov 2020 18:39:11 +0100 Subject: [PATCH 018/288] Update u_e-dovecot-vmail-volume.md --- docs/u_e-dovecot-vmail-volume.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/docs/u_e-dovecot-vmail-volume.md b/docs/u_e-dovecot-vmail-volume.md index 0cf07aa64..f5cf4fd2e 100644 --- a/docs/u_e-dovecot-vmail-volume.md +++ b/docs/u_e-dovecot-vmail-volume.md @@ -1,3 +1,20 @@ +## The "new" way + +**WARNING**: Newer Docker versions seem to complain about existing volumes. You can fix this temporarily by removing the existing volume and start mailcow with the override file. But it seems to be problematic after a reboot (needs to be confirmed). + +An easy, dirty, yet stable workaround is to stop mailcow (`docker-compose down`), remove `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data` and create a new link to your remote filesystem location, for example: + +``` +mv /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data_backup +ln -s /mnt/volume-xy/vmail_data /var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data +``` + +Start mailcow afterwards. + +--- + +## The "old" way + If you want to use another folder for the vmail-volume, you can create a `docker-compose.override.yml` file and add the following content: ``` From 2c236ec3d302321bcd96ba22ad404abf39910df0 Mon Sep 17 00:00:00 2001 From: BlackWolf-Design Date: Mon, 30 Nov 2020 10:25:50 +0100 Subject: [PATCH 019/288] Update firststeps-rp.md it looks like the old version no longer works. no more redirection ... changed, tested and redirects now again --- docs/firststeps-rp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 11b266167..c37bc2c01 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -50,7 +50,7 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerAlias autoconfig.* RewriteEngine on - RewriteCond %{HTTPS} !=on + RewriteCond %{HTTPS} off RewriteRule ^/?(.*) https://%{HTTP_HOST}/$1 [R=301,L] ProxyPass / http://127.0.0.1:8080/ From 6ef4a3099c4d85ea5436372c41fa2c86a835fdf6 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Wed, 2 Dec 2020 20:20:08 +0200 Subject: [PATCH 020/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index cedf5ce6e..3da9f813f 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -47,9 +47,9 @@ Do not add this option to `dmarc.conf` till bug https://github.com/rspamd/rspamd ## DMARC Force actions This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy. -This good from security point, but not allow whitelist broken senders. This up to your choice enable it or not. +This good from security point, but not allow whitelist broken senders. Better avoid using this option. -To enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`: +If you still want to enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`: ``` actions { quarantine = "add_header"; From cef82d96137568cd1da2d435b739fb15913f226e Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 4 Dec 2020 16:23:28 +0200 Subject: [PATCH 021/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index 3da9f813f..8ce3d6144 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -14,7 +14,7 @@ Offical configuration options and documentation can be found here: https://rspam - In case you plan to resend a copy of reports to yourself: you need add condition to previous filter example `From is not noreply-dmarc@example.com` ## Enable DMARC Reports -Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to: +1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to: ``` reporting = true; send_reports = true; @@ -30,6 +30,8 @@ report_settings { hscan_count = 1500 } ``` +2. Create required `dmarc_reports_last_sent` file: +`docker-compose exec rspamd-mailcow bash -c "touch /var/lib/rspamd/dmarc_reports_last_sent; chown 101:101 /var/lib/rspamd/dmarc_reports_last_sent; chmod 644 /var/lib/rspamd/dmarc_reports_last_sent"` ## Disable DMARC Reports To disable reports set `send_reports` to `false` From a23fae01d52d98dcee4897fc7e8e404297f3bf3e Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 4 Dec 2020 16:25:04 +0200 Subject: [PATCH 022/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index 8ce3d6144..d14a8a2a5 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -32,6 +32,8 @@ report_settings { ``` 2. Create required `dmarc_reports_last_sent` file: `docker-compose exec rspamd-mailcow bash -c "touch /var/lib/rspamd/dmarc_reports_last_sent; chown 101:101 /var/lib/rspamd/dmarc_reports_last_sent; chmod 644 /var/lib/rspamd/dmarc_reports_last_sent"` +3. Restart rspamd container: +`docker-compose restart rspamd-mailcow` ## Disable DMARC Reports To disable reports set `send_reports` to `false` From 68f269a96bfe145eaeccfd510fcc4427657a7efb Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 4 Dec 2020 16:25:40 +0200 Subject: [PATCH 023/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index d14a8a2a5..e142e7ffd 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -36,7 +36,7 @@ report_settings { `docker-compose restart rspamd-mailcow` ## Disable DMARC Reports -To disable reports set `send_reports` to `false` +To disable reporting set `send_reports` to `false` and restart rspamd container ## Send a copy reports to yourself To get copy of own generated reports you can add `additional_address = "noreply-dmarc@pnnsoft.com";` in `report_settings` section. From 7ad7193d028c449661326cb6762108a828e46b4b Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 4 Dec 2020 16:48:06 +0200 Subject: [PATCH 024/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index e142e7ffd..ad1336ab7 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -51,7 +51,7 @@ Do not add this option to `dmarc.conf` till bug https://github.com/rspamd/rspamd ## DMARC Force actions This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy. -This good from security point, but not allow whitelist broken senders. Better avoid using this option. +This good from security point, but it can lead of rejecting of forwarded email and not allow whitelist broken senders. Better **avoid** using this option. If you still want to enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`: ``` From b94534b6607794feb47b1d22b781cbda97c01fdb Mon Sep 17 00:00:00 2001 From: Katos <7927609+katosdev@users.noreply.github.com> Date: Fri, 4 Dec 2020 19:12:18 +0000 Subject: [PATCH 025/288] Update u_e-unbound-fwd.md Amend grammar from "NO NOT USE" to "DO NOT USE" --- docs/u_e-unbound-fwd.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-unbound-fwd.md b/docs/u_e-unbound-fwd.md index b8caaf616..e4a64f612 100644 --- a/docs/u_e-unbound-fwd.md +++ b/docs/u_e-unbound-fwd.md @@ -11,8 +11,8 @@ Edit `data/conf/unbound/unbound.conf` and append the following parameters: ``` forward-zone: name: "." - forward-addr: 8.8.8.8 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE - forward-addr: 8.8.4.4 # NO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE + forward-addr: 8.8.8.8 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE + forward-addr: 8.8.4.4 # DO NOT USE PUBLIC DNS SERVERS - JUST AN EXAMPLE ``` Restart Unbound: From bbe373b298d0ffc1efeefbeeae49dc9776ae99d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 7 Dec 2020 07:53:16 +0100 Subject: [PATCH 026/288] Update model-passwd.md --- docs/model-passwd.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index c06642039..daddcb59d 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -4,6 +4,7 @@ The most current mailcow fully supports the following hashing methods. The default hashing method is written in bold: - **BLF-CRYPT** +- SSHA - SSHA256 - SSHA512 From e270b798488ac22f8c76674068fb9e59ab6864ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 09:32:50 +0100 Subject: [PATCH 027/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 28 ++++++++++++++++++++-------- 1 file changed, 20 insertions(+), 8 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 181411600..f378b7487 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -16,16 +16,28 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh Please make sure that your system has at least the following resources: -| Resource | mailcow: dockerized | -| ----------------------- | -------------------------------------------- | -| CPU | 1 GHz | -| RAM                     | Minimum 4 GiB + Swap | -| Disk | 20 GiB (without emails) | -| System Type | x86_64 | +| Resource | mailcow: dockerized | +| ----------------------- | ------------------------------------------------ | +| CPU | 1 GHz | +| RAM                     | **Minimum** 6 GiB + 1 GiB swap (default config) | +| Disk | 20 GiB (without emails) | +| System Type | x86_64 | -As of today (29th Dec 2019), we recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 9/10 and Ubuntu 18.04. +We recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 9/10 and Ubuntu 18.04/20.04. -ClamAV and Solr are greedy RAM munchers. You can disable them in `mailcow.conf` by settings SKIP_CLAMD=y and SKIP_SOLR=y. +ClamAV and Solr can be greedy with RAM. You may disable them in `mailcow.conf` by settings `SKIP_CLAMD=y` and `SKIP_SOLR=y`. + +**Info**: We are aware that a pure MTA can run on 128 MiB RAM. mailcow is a full-grown and ready-to-use groupware with many extras making life easier. mailcow comes with a webserver, webmailer, ActiveSync (MS), antivirus, antispam, indexing (Solr), document scanner (Oletools), SQL (MariaDB), Cache (Redis), MDA, MTA, various web services etc. + +A single SOGo worker **can** acquire ~350 MiB RAM before it gets purged. The more ActiveSync connections you plan to use, the more RAM you will need. A default configuration spawns 20 workers. + +#### Usage examples + +A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GB RAM. + +6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users. + +We can help to correctly plan your setup as part of our support. ## Firewall & Ports From 902f74a8c47822941b28164d092e4d643362bf3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 09:33:34 +0100 Subject: [PATCH 028/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index f378b7487..82c746cbb 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -12,7 +12,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh ## Minimum System Resources -**Do not** use OpenVZ or LXC as guests for mailcow. +**OpenVZ or LXC are not supported**. Please make sure that your system has at least the following resources: From f2fe6862dfa33780092311366ecd3dd4e1f64ed6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 17 Dec 2020 19:30:35 +0100 Subject: [PATCH 029/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 82c746cbb..842bbd368 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -33,7 +33,7 @@ A single SOGo worker **can** acquire ~350 MiB RAM before it gets purged. The mor #### Usage examples -A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GB RAM. +A company with 15 phones (EAS enabled) and about 50 concurrent IMAP connections should plan 16 GiB RAM. 6 GiB RAM + 1 GiB swap are fine for most private installations while 8 GiB RAM are recommended for ~5 to 10 users. From bd1021ad0a3618180431e17a8dd6b69c72df63dc Mon Sep 17 00:00:00 2001 From: Bojan Bogojevic <20166636+Bojan023@users.noreply.github.com> Date: Wed, 23 Dec 2020 17:37:53 +0100 Subject: [PATCH 030/288] Order DNS records alphabetically and fix capital m original record with capital M: _carddavs._tcp IN SRV 0 1 443 Mail.example.org. --- docs/prerequisite-dns.md | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 596c84d51..1de6f22b7 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -58,18 +58,21 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ ``` # Name Type Priority Weight Port Value +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_caldavs._tcp IN TXT "path=/SOGo/dav/" +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN TXT "path=/SOGo/dav/" _imap._tcp IN SRV 0 1 143 mail.example.org. _imaps._tcp IN SRV 0 1 993 mail.example.org. _pop3._tcp IN SRV 0 1 110 mail.example.org. _pop3s._tcp IN SRV 0 1 995 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. _sieve._tcp IN SRV 0 1 4190 mail.example.org. -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. -_carddavs._tcp IN TXT "path=/SOGo/dav/" -_caldavs._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN TXT "path=/SOGo/dav/" +_smtps._tcp IN SRV 0 1 465 mail.example.org. +_submission._tcp IN SRV 0 1 587 mail.example.org. + + + ``` ## Testing From b65cd3b8d3ee313efde9e869a684a79147e33a9b Mon Sep 17 00:00:00 2001 From: Mitch Brown Date: Wed, 23 Dec 2020 12:57:09 -0800 Subject: [PATCH 031/288] Update debug-rm_volumes.md Fixed typo --- docs/debug-rm_volumes.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-rm_volumes.md b/docs/debug-rm_volumes.md index 1e2d78366..fc8cd7b25 100644 --- a/docs/debug-rm_volumes.md +++ b/docs/debug-rm_volumes.md @@ -1,6 +1,6 @@ You may want to remove a set of persistent data to resolve a conflict or to start over. -`mailcowdockerized` can vary and depends on your compose project name (if it's unchanged, `mailcowdockerized` is the correct value). If you are unsure about volume names, run `docker volumes ls` for a full list. +`mailcowdockerized` can vary and depends on your compose project name (if it's unchanged, `mailcowdockerized` is the correct value). If you are unsure about volume names, run `docker volume ls` for a full list. Delete a single volume: From d3895e3744247976e941fa5fe704c54a6a7d2d47 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 24 Dec 2020 21:05:03 +0100 Subject: [PATCH 032/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 842bbd368..32230b14a 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -12,7 +12,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh ## Minimum System Resources -**OpenVZ or LXC are not supported**. +**OpenVZ, Virtuozzo and LXC are not supported**. Please make sure that your system has at least the following resources: From 1b92325527dbe233c93d1e3c2c03c3f925f0c74e Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Tue, 5 Jan 2021 23:10:55 +0000 Subject: [PATCH 033/288] Added note regarding piler 1.3.10 --- docs/u_e-mailpiler-integration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/u_e-mailpiler-integration.md b/docs/u_e-mailpiler-integration.md index eaea027dd..c3e4f417b 100644 --- a/docs/u_e-mailpiler-integration.md +++ b/docs/u_e-mailpiler-integration.md @@ -2,6 +2,9 @@ This is a simple integration of mailcow aliases and the mailbox name into mailpi **Disclaimer**: This is not officially maintained nor supported by the mailcow project nor its contributors. No warranty or support is being provided, however you're free to open issues on GitHub for filing a bug or provide further ideas. [GitHub repo can be found here](https://github.com/patschi/mailpiler-mailcow-integration). +!!! info + Support for domain wildcards were implemented in Piler 1.3.10 which was released on 03.01.2021. Prior versions basically do work, but after logging in you won't see emails sent from or to the domain alias. (e.g. when @example.com is an alias for admin@example.com) + ## The problem to solve mailpiler offers the authentication based on IMAP, for example: @@ -30,7 +33,7 @@ Note: File paths might vary depending on your setup. ### Requirements - A working mailcow instance -- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/)) +- A working mailpiler instance ([You can find an installation guide here](https://patrik.kernstock.net/2020/08/mailpiler-installation-guide/), [check supported versions here](https://github.com/patschi/mailpiler-mailcow-integration#piler)) - An mailcow API key (read-only works just fine): `Configuration & Details - Access - Read-Only Access`. Don't forget to allow API access from your mailpiler IP. !!! warning From 9a54b266d931b849964a25b8b1b90c8fd9c51f5c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 7 Jan 2021 16:44:23 +0100 Subject: [PATCH 034/288] Update firststeps-ip_bindings.md --- docs/firststeps-ip_bindings.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-ip_bindings.md b/docs/firststeps-ip_bindings.md index e04d5bbd6..a10c3af49 100644 --- a/docs/firststeps-ip_bindings.md +++ b/docs/firststeps-ip_bindings.md @@ -8,11 +8,12 @@ To adjust one or multiple IPv4 bindings, open `mailcow.conf` and edit one, multi ``` # For technical reasons, http bindings are a bit different from other service bindings. # You will find the following variables, separated by a bind address and its port: +# Example: HTTP_BIND=1.2.3.4 HTTP_PORT=80 -HTTP_BIND=0.0.0.0 +HTTP_BIND= HTTPS_PORT=443 -HTTPS_BIND=0.0.0.0 +HTTPS_BIND= # Other services are bound by using the following format: # SMTP_PORT=25 equals to SMTP_PORT=0.0.0.0:25 From 141b1fe9e79cb7beac8291a868c6d6ef98347cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 7 Jan 2021 22:20:11 +0100 Subject: [PATCH 035/288] Update u_e-80_to_443.md --- docs/u_e-80_to_443.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-80_to_443.md b/docs/u_e-80_to_443.md index bfd486665..f18159782 100644 --- a/docs/u_e-80_to_443.md +++ b/docs/u_e-80_to_443.md @@ -2,7 +2,7 @@ Since February the 28th 2017 mailcow does come with port 80 and 443 enabled. **Do not use the config below for reverse proxy setups**, please see our reverse proxy guide for this, which includes a redirect from HTTP to HTTPS. -Open `mailcow.conf` and set `HTTP_BIND=0.0.0.0` - if not already set. +Open `mailcow.conf` and set `HTTP_BIND=` - if not already set. Create a new file `data/conf/nginx/redirect.conf` and add the following server config to the file: From 1e5908eae3c0bee896f21875aa256bef7c6d14c0 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 7 Jan 2021 22:22:35 +0100 Subject: [PATCH 036/288] Add 0.0.0.0 note --- docs/firststeps-ip_bindings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-ip_bindings.md b/docs/firststeps-ip_bindings.md index a10c3af49..86a1764fd 100644 --- a/docs/firststeps-ip_bindings.md +++ b/docs/firststeps-ip_bindings.md @@ -16,8 +16,8 @@ HTTPS_PORT=443 HTTPS_BIND= # Other services are bound by using the following format: -# SMTP_PORT=25 equals to SMTP_PORT=0.0.0.0:25 # SMTP_PORT=1.2.3.4:25 will bind SMTP to the IP 1.2.3.4 on port 25 +# Important! Specifying an IPv4 address will skip all IPv6 bindings since Docker 20.x. # doveadm, SQL as well as Solr are bound to local ports only, please do not change that, unless you know what you are doing. SMTP_PORT=25 From fe00ff90e1454e08823ce09011d77ff9bf052eaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 8 Jan 2021 12:37:59 +0100 Subject: [PATCH 037/288] Update u_e-webmail-site.md --- docs/u_e-webmail-site.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-webmail-site.md b/docs/u_e-webmail-site.md index 83b4777a0..31c9e1e65 100644 --- a/docs/u_e-webmail-site.md +++ b/docs/u_e-webmail-site.md @@ -1,4 +1,4 @@ -**Edit**: TODO: This guide only applies to non SNI enabled configurations. The certificate path needs to be adjusted if SNI is enabled. Something like `ssl_certificate,key /etc/ssl/mail/webmail.example.org/cert.pem,key.pem;` will do. **But**: The certificate should be acquired **first** and only after the certificate exists a site config should be created. Nginx will fail to start if it cannot find the certificate and key. +**IMPORTANT**: This guide only applies to non SNI enabled configurations. The certificate path needs to be adjusted if SNI is enabled. Something like `ssl_certificate,key /etc/ssl/mail/webmail.example.org/cert.pem,key.pem;` will do. **But**: The certificate should be acquired **first** and only after the certificate exists a site config should be created. Nginx will fail to start if it cannot find the certificate and key. To create a subdomain `webmail.example.org` and redirect it to SOGo, you need to create a **new** Nginx site. Take care of "CHANGE_TO_MAILCOW_HOSTNAME"! From 3f0d709370ea68f6273432b76a08f07ef5375b10 Mon Sep 17 00:00:00 2001 From: ValdikSS Date: Mon, 11 Jan 2021 18:59:04 +0300 Subject: [PATCH 038/288] Add postscreen whitelist syntax and examples --- docs/u_e-postfix-postscreen_whitelist.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/docs/u_e-postfix-postscreen_whitelist.md b/docs/u_e-postfix-postscreen_whitelist.md index 2104dfb31..62aea3753 100644 --- a/docs/u_e-postfix-postscreen_whitelist.md +++ b/docs/u_e-postfix-postscreen_whitelist.md @@ -1,3 +1,20 @@ -IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/custom_postscreen_whitelist.cidr`. - -Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups. +IPs can be removed from Postscreen and therefore _also_ from RBL checks in `data/conf/postfix/custom_postscreen_whitelist.cidr`. + +Postscreen does multiple checks to identify malicious senders. In most cases you want to whitelist an IP to exclude it from blacklist lookups. + +The format of the file is as follows: + +`CIDR ACTION` + +Where CIDR is a single IP address or IP range in CIDR notation, and action is either "permit" or "reject". + +Example: + +``` +# Rules are evaluated in the order as specified. +# Blacklist 192.168.* except 192.168.0.1. +192.168.0.1 permit +192.168.0.0/16 reject +``` + +The file is reloaded on the fly, postfix restart is not required. \ No newline at end of file From 294220fe8197c6d87b59a6fa3beb409ba1bac7f7 Mon Sep 17 00:00:00 2001 From: Anand Dyavanapalli Date: Tue, 12 Jan 2021 20:41:58 -0500 Subject: [PATCH 039/288] typo: Change `role` to `roll`. --- docs/i_u_m_update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index 618aa5361..d20b76676 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -52,7 +52,7 @@ dacd4fb9b51e9e1c8a37d84485b92ffaf6c59353 Before update on 2020-08-07_13_31_31 Run `git diff 22cd00b5e28893ef9ddef3c2b5436453cc5223ab` to see what changed. -### Can I role back? +### Can I roll back? Yes. From f6e8862ba987778fb94efa5c8abbefa9190db7a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 18 Jan 2021 07:42:52 +0100 Subject: [PATCH 040/288] Update i_u_m_install.md --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 62a333752..ddb7d28f6 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,6 +1,6 @@ !!! warning Make sure you've read ["Prepare Your System"](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-system) before proceeding! - **Do not** use CentOS 8 with Centos 7 Docker packages. You may create an open relay. + **We do not recommend** CentOS 8 anymore. You need Docker and Docker Compose. From 6e45a4b4e80597484f18f4768fb0a386d02c5b6e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 18 Jan 2021 07:43:34 +0100 Subject: [PATCH 041/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 32230b14a..4efdd4c4e 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -2,7 +2,7 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh !!! warning Do **not** try to install mailcow on a Synology/QNAP device (any NAS), OpenVZ, LXC or other container platforms. KVM, ESX, Hyper-V and other full virtualization platforms are supported. - Do **not** use CentOS 8 with Centos 7 Docker packages. You may create an open relay. + We **do not** recommend to use CentOS 8 anymore! !!! info - mailcow: dockerized requires [some ports](#default-ports) to be open for incoming connections, so make sure that your firewall is not blocking these. From 20c3fa5f99c3159921fd211818b7ec5bac37ced8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 24 Jan 2021 09:50:12 +0100 Subject: [PATCH 042/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 47 +++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 4efdd4c4e..252228c2c 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -53,8 +53,6 @@ netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this blog post](https://blog.donnex.net/docker-and-iptables-filtering/) for information about how to use iptables-persistent with the DOCKER-USER chain. As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow. Use the FORWARD chain instead. -** - If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. ### Default Ports @@ -77,6 +75,51 @@ To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT **Important**: You cannot use IP:PORT bindings in HTTP_PORT and HTTPS_PORT. Please use `HTTP_PORT=1234` and `HTTP_BIND=1.2.3.4` instead. +### Important for Hetzner firewalls + +Quoting https://github.com/chermsen via https://github.com/mailcow/mailcow-dockerized/issues/497#issuecomment-469847380 (THANK YOU!): + +For all who are struggling with the Hetzner firewall: + +Port 53 unimportant for the firewall configuration in this case. According to the documentation unbound uses the port range 1024-65535 for outgoing requests. +Since the Hetzner Robot Firewall is a static firewall (each incoming packet is checked isolated) - the following rules must be applied: + +**For TCP** +``` +SRC-IP: --- +DST IP: --- +SRC Port: --- +DST Port: 1024-65535 +Protocol: tcp +TCP flags: ack +Action: Accept +``` + +**For UDP** +``` +SRC-IP: --- +DST IP: --- +SRC Port: --- +DST Port: 1024-65535 +Protocol: udp +Action: Accept +``` + +If you want to apply a more restrictive port range you have to change the config of unbound first (after installation): + +{mailcow-dockerized}/data/conf/unbound/unbound.conf: +``` +outgoing-port-avoid: 0-32767 +``` + +Now the firewall rules can be adjusted as follows: + +``` +[...] +DST Port: 32768-65535 +[...] +``` + ## Date and Time To ensure that you have the correct date and time setup on your system, please check the output of `timedatectl status`: From a2f749806a8a6617a05557c1c999224162b9a3ee Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 21:52:25 +0200 Subject: [PATCH 043/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 39 +++++++++++++++++++++++++++++++++++---- 1 file changed, 35 insertions(+), 4 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index aead9520b..62b6f5c36 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -1,10 +1,41 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its [own documentation](http://wiki.sogo.nu/). -## Change Theme -As of December 21 2018 we removed our custom themes due to complains about missing colors in some address book and calendar sections. Some other problems were still existing and would not be fixed in the near future (switching colors on login screen, for example). +## Change theme +mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. +Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) and [Configuring a theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation to get more details on how this works. +After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. -## Change Logo +## Reset to SOGo default theme +Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` +Find in `data/conf/sogo/custom-theme.js`: +``` +// Apply new palettes to the default theme, remap some of the hues + $mdThemingProvider.theme('default') + .primaryPalette('green-cow', { + 'default': '400', // background color of top toolbars + 'hue-1': '400', + 'hue-2': '600', // background color of sidebar toolbar + 'hue-3': 'A700' + }) + .accentPalette('green', { + 'default': '600', // background color of fab buttons + 'hue-1': '300', // background color of center list toolbar + 'hue-2': '300', + 'hue-3': 'A700' + }) + .backgroundPalette('frost-grey'); +``` +and replace with: +``` + $mdThemingProvider.theme('default'); +``` + +## Change favicon +mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. +After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. + +## Change logo mailcow builds after 21 December 2018 can change SOGo's logo by replacing `data/conf/sogo/sogo-full.svg`. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. @@ -34,5 +65,5 @@ Restart SOGo: `docker-compose restart sogo-mailcow` Edit `data/conf/sogo/sogo.conf` and **change** `SOGoPasswordChangeEnabled` to `NO`. Please do not add a new parameter. -Run `docker-compose restart sogo-mailcow memcached-mailcow` to activate the changes. +Run `docker-compose restart memcached-mailcow sogo-mailcow` to activate the changes. From e57e0439b56768b81dc0bb184544cdfd5a463862 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 22:37:43 +0200 Subject: [PATCH 044/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 62b6f5c36..593638629 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -33,6 +33,7 @@ and replace with: ## Change favicon mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. +To note: you can use `.png` favicons, renaming them `custom-favicon.ico` will works, but please use standard `.ico` dimensions, e.g: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo From e93aa3176897193c4440778e8936b5dbed6a5c31 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 22:40:31 +0200 Subject: [PATCH 045/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 593638629..7e39ecd71 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -3,7 +3,7 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your ## Change theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) and [Configuring a theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation to get more details on how this works. +Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) & [Configuring theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation with [Material Style Color](https://material.io/archive/guidelines/style/color.html#color-color-palette) page to learn how this works. After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme From 5eb6e7620b32fbce89eda95bdf69634249b8367a Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Jan 2021 23:57:00 +0200 Subject: [PATCH 046/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 7e39ecd71..454d07653 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -32,8 +32,9 @@ and replace with: ``` ## Change favicon -mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico`. -To note: you can use `.png` favicons, renaming them `custom-favicon.ico` will works, but please use standard `.ico` dimensions, e.g: 16x16, 32x32, 64x64, 128x128 and 256x256. +mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. +To note: you can use `.png` favicons for SOGo, by renaming them to `custom-favicon.ico`. +For both SOGo and mailcow UI faviconsyou need use one of standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo From f91dccc74b68e65fc7030872afb0d86a63c60c38 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 31 Jan 2021 09:50:06 +0100 Subject: [PATCH 047/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 454d07653..38a79c871 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -3,7 +3,7 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your ## Change theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check AngularJS Material [Intro](https://material.angularjs.org/latest/Theming/01_introduction) & [Configuring theme](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) documentation with [Material Style Color](https://material.io/archive/guidelines/style/color.html#color-color-palette) page to learn how this works. +Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme From 7a6bd9b249af70ea0dc2c6fc80d103f14bfa42b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 31 Jan 2021 09:54:45 +0100 Subject: [PATCH 048/288] Update u_e-sogo.md --- docs/u_e-sogo.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 38a79c871..909e10918 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -32,13 +32,13 @@ and replace with: ``` ## Change favicon -mailcow builds after 30 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. -To note: you can use `.png` favicons for SOGo, by renaming them to `custom-favicon.ico`. -For both SOGo and mailcow UI faviconsyou need use one of standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. +mailcow builds after 31 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. +**Note**: You can use `.png` favicons for SOGo by renaming them to `custom-favicon.ico`. +For both SOGo and mailcow UI favicons you need use one of the standard dimensions: 16x16, 32x32, 64x64, 128x128 and 256x256. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Change logo -mailcow builds after 21 December 2018 can change SOGo's logo by replacing `data/conf/sogo/sogo-full.svg`. +mailcow builds after 21 December 2018 can change SOGo's logo by replacing or creating (if missing) `data/conf/sogo/sogo-full.svg`. After you replaced said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Connect domains From 612177cb374025f6b4810a630d0b2885b5f66d57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 1 Feb 2021 08:03:20 +0100 Subject: [PATCH 049/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 252228c2c..c70415166 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -50,7 +50,7 @@ netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' ``` !!! warning - There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this blog post](https://blog.donnex.net/docker-and-iptables-filtering/) for information about how to use iptables-persistent with the DOCKER-USER chain. + There are several problems with running mailcow on a firewalld/ufw enabled system. You should disable it (if possible) and move your ruleset to the DOCKER-USER chain, which is not cleared by a Docker service restart, instead. See [this (blog.donnex.net)](https://blog.donnex.net/docker-and-iptables-filtering/) or [this (unrouted.io)](https://unrouted.io/2017/08/15/docker-firewall/) guide for information about how to use iptables-persistent with the DOCKER-USER chain. As mailcow runs dockerized, INPUT rules have no effect on restricting access to mailcow. Use the FORWARD chain instead. If this command returns any results please remove or stop the application running on that port. You may also adjust mailcows ports via the `mailcow.conf` configuration file. From c8d1efea25abba0599a61b416fd318a81fbe5ec6 Mon Sep 17 00:00:00 2001 From: Daniel Date: Sun, 7 Feb 2021 15:25:23 +0100 Subject: [PATCH 050/288] Internal subnet Adding the internal subnet to the nc configuration. Helped to access the nc instance via my revers proxy. It was accesible from outside, just not from inside. --- docs/third_party-nextcloud.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index c6466b7de..2173bcdd5 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -75,3 +75,31 @@ If you have previously used Nextcloud without mailcow authentication, but with t ``` INSERT INTO nc_sociallogin_connect (uid, identifier) SELECT DISTINCT uid, CONCAT("Mailcow-", uid) FROM nc_users; ``` + +--- + +## Update + +The Nextcloud instance can be updated easily with the web update mechanism. In the case of larger updates, there may be further changes to be made after the update. After the Nextcloud instance has been checked, problems are shown. This can be e.g. missing indices in the DB or similar. +It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. + +As an an example run the following command to add the missing indices. +`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php / web / nextcloud / occ db: add-missing-indices"` + +--- + +## Debugging & Troubleshooting + +It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in data/web/nextcloud/config/*. + +``` +'trusted_proxies' => + array ( + 0 => 'fd4d:6169:6c63:6f77::/64', + 1 => '172.22.1.0/24', + 2 => 'NewSubnet/24', + ), +``` + +After the changes have been made, the nginx container must be restarted. +`docker-compose restart nginx-mailcow` From 87e6f4b89fb4a667aee9dddcf1f17b2e83df0c0d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 7 Feb 2021 20:13:55 +0100 Subject: [PATCH 051/288] Update third_party-nextcloud.md --- docs/third_party-nextcloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 2173bcdd5..388464be8 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -84,13 +84,13 @@ The Nextcloud instance can be updated easily with the web update mechanism. In t It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. As an an example run the following command to add the missing indices. -`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php / web / nextcloud / occ db: add-missing-indices"` +`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db: add-missing-indices"` --- ## Debugging & Troubleshooting -It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in data/web/nextcloud/config/*. +It may happen that you cannot reach the Nextcloud instance from your network. This may be due to the fact that the entry of your subnet in the array 'trusted_proxies' is missing. You can make changes in the Nextcloud config.php in `data/web/nextcloud/config/*`. ``` 'trusted_proxies' => From ddcb55f3ccd2d7509ce75ce24aefceb4ce4e7342 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 7 Feb 2021 20:14:57 +0100 Subject: [PATCH 052/288] Update third_party-nextcloud.md Remove more spaces --- docs/third_party-nextcloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-nextcloud.md b/docs/third_party-nextcloud.md index 388464be8..31153440c 100644 --- a/docs/third_party-nextcloud.md +++ b/docs/third_party-nextcloud.md @@ -84,7 +84,7 @@ The Nextcloud instance can be updated easily with the web update mechanism. In t It shows which commands have to be executed, these have to be placed in the php-fpm-mailcow container. As an an example run the following command to add the missing indices. -`docker exec -it -u www-data $ (docker ps -f name = php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db: add-missing-indices"` +`docker exec -it -u www-data $(docker ps -f name=php-fpm-mailcow -q) bash -c "php /web/nextcloud/occ db:add-missing-indices"` --- From 637ccfe5f4d5f7cd3a8c8ed0e0f2f63c068fdb29 Mon Sep 17 00:00:00 2001 From: guiguir68 <46498821+guiguir68@users.noreply.github.com> Date: Mon, 8 Feb 2021 00:48:59 +0100 Subject: [PATCH 053/288] Updated copyright year and HNY! --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 704d0f072..55f8d40e2 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,6 +1,6 @@ site_name: 'mailcow: dockerized documentation' site_url: https://mailcow.github.io/mailcow-dockerized-docs/ -copyright: 'Copyright © 2020 André Peters' +copyright: 'Copyright © 2021 André Peters' repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ From f41a9f75d8c71fb683c2c1644a6c43377cc678ec Mon Sep 17 00:00:00 2001 From: Rijul-Ahuja <31570722+Rijul-Ahuja@users.noreply.github.com> Date: Mon, 8 Feb 2021 06:32:36 +0000 Subject: [PATCH 054/288] Remove superfluous space character from override Remove the extra space character at the start of the services line in the ofelia docker-compose.override.yml --- docs/u_e-dovecot-expunge.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-dovecot-expunge.md b/docs/u_e-dovecot-expunge.md index d6fc3ac24..5c1d3cedc 100644 --- a/docs/u_e-dovecot-expunge.md +++ b/docs/u_e-dovecot-expunge.md @@ -61,7 +61,7 @@ To archive this with a docker job scheduler use this docker-compose.override.yml ``` version: '2.1' - services: +services: ofelia: image: mcuadros/ofelia:latest @@ -90,4 +90,4 @@ common.go:124 ▶ NOTICE [Job "dovecot-expunge-trash" (8759567efa66)] Finished i If it failed it will say so and give you the output of the doveadm in the log to make it easy on you to debug. -In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). \ No newline at end of file +In case you want to add more jobs, ensure you change the "dovecot-expunge-trash" part after "ofelia.job-exec." to something else, it defines the name of the job. Syntax of the labels you find at [mcuadros/ofelia](https://github.com/mcuadros/ofelia). From 9890ae082c6770643cd3fe845e1c5bd078e1d087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 10 Feb 2021 09:36:39 +0100 Subject: [PATCH 055/288] Update third_party-portainer.md --- docs/third_party-portainer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-portainer.md b/docs/third_party-portainer.md index c3f4270d6..deebe9d79 100644 --- a/docs/third_party-portainer.md +++ b/docs/third_party-portainer.md @@ -5,7 +5,7 @@ In order to enable Portainer, the docker-compose.yml and site.conf for Nginx mus version: '2.1' services: portainer-mailcow: - image: portainer/portainer + image: portainer/portainer-ce volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data/conf/portainer:/data From 558d92bc0d686843bf123d9e53f9d97c2964707e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:48:42 +0100 Subject: [PATCH 056/288] Update model-passwd.md --- docs/model-passwd.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index daddcb59d..3c15dd205 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -14,9 +14,27 @@ The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. The following methods are supported **read only**. +- ARGON2I +- ARGON2ID +- CLEAR +- CLEARTEXT +- CRYPT +- DES-CRYPT +- LDAP-MD5 +- MD5 - MD5-CRYPT +- PBKDF2 +- PLAIN +- PLAIN-MD4 - PLAIN-MD5 +- PLAIN-TRUNC +- SHA +- SHA1 +- SHA256 +- SHA256-CRYPT +- SHA512 - SHA512-CRYPT +- SMD5 That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. From c774f70998fb50ace964599a844dd86ff0242721 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:56:11 +0100 Subject: [PATCH 057/288] Update model-passwd.md --- docs/model-passwd.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 3c15dd205..05b710ac2 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -12,29 +12,31 @@ The methods above can be used in `mailcow.conf` as `MAILCOW_PASS_SCHEME` value. ## Read-only hashing methods -The following methods are supported **read only**. +The following methods are supported **read only**. +If you plan to use SOGo (as per default), you need a SOGo compatible hashing method. Please see the note at the bottom of this page how to update the view if necessary. +With SOGo disabled, all hashing methods below will be able to be read by mailcow and Dovecot. -- ARGON2I -- ARGON2ID +- ARGON2I (SOGo compatible) +- ARGON2ID (SOGo compatible) - CLEAR - CLEARTEXT -- CRYPT +- CRYPT (SOGo compatible) - DES-CRYPT -- LDAP-MD5 -- MD5 -- MD5-CRYPT -- PBKDF2 -- PLAIN +- LDAP-MD5 (SOGo compatible) +- MD5 (SOGo compatible) +- MD5-CRYPT (SOGo compatible) +- PBKDF2 (SOGo compatible) +- PLAIN (SOGo compatible) - PLAIN-MD4 - PLAIN-MD5 - PLAIN-TRUNC -- SHA -- SHA1 -- SHA256 -- SHA256-CRYPT -- SHA512 -- SHA512-CRYPT -- SMD5 +- SHA (SOGo compatible) +- SHA1 (SOGo compatible) +- SHA256 (SOGo compatible) +- SHA256-CRYPT (SOGo compatible) +- SHA512 (SOGo compatible) +- SHA512-CRYPT (SOGo compatible) +- SMD5 (SOGo compatible) That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. From cf7677ac19c47a5aa65abcfd45dcbb2e3efebe86 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 11 Feb 2021 09:57:01 +0100 Subject: [PATCH 058/288] Update model-passwd.md --- docs/model-passwd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/model-passwd.md b/docs/model-passwd.md index 05b710ac2..3e74ac6d5 100644 --- a/docs/model-passwd.md +++ b/docs/model-passwd.md @@ -38,7 +38,7 @@ With SOGo disabled, all hashing methods below will be able to be read by mailcow - SHA512-CRYPT (SOGo compatible) - SMD5 (SOGo compatible) -That means mailcow is able to verify users with a hash like `{PLAIN-MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. +That means mailcow is able to verify users with a hash like `{MD5}1a1dc91c907325c69271ddf0c944bc72` from the database. The value of `MAILCOW_PASS_SCHEME` will _always_ be used to encrypt new passwords. From 727e841bee81deb9e7a04b3ffbf9ddcdef43e67d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 11:23:12 +0100 Subject: [PATCH 059/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index c70415166..ecf6dbf96 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -59,17 +59,19 @@ If this command returns any results please remove or stop the application runnin If you have a firewall in front of mailcow, please make sure that these ports are open for incoming connections: -| Service | Protocol | Port | Container | Variable | -| --------------------|:--------:|:-------|:----------------|----------------------------------| -| Postfix SMTP | TCP | 25 | postfix-mailcow | `${SMTP_PORT}` | -| Postfix SMTPS | TCP | 465 | postfix-mailcow | `${SMTPS_PORT}` | -| Postfix Submission | TCP | 587 | postfix-mailcow | `${SUBMISSION_PORT}` | -| Dovecot IMAP | TCP | 143 | dovecot-mailcow | `${IMAP_PORT}` | -| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | `${IMAPS_PORT}` | -| Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | -| Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | -| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | -| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | +| Service | Protocol | Port | Container | Variable | +| --------------------|:--------:|:-------|:------------------|----------------------------------| +| Postfix SMTP | TCP | 25 | postfix-mailcow | `${SMTP_PORT}` | +| Postfix SMTPS | TCP | 465 | postfix-mailcow | `${SMTPS_PORT}` | +| Postfix Submission | TCP | 587 | postfix-mailcow | `${SUBMISSION_PORT}` | +| Dovecot IMAP | TCP | 143 | dovecot-mailcow | `${IMAP_PORT}` | +| Dovecot IMAPS | TCP | 993 | dovecot-mailcow | `${IMAPS_PORT}` | +| Dovecot POP3 | TCP | 110 | dovecot-mailcow | `${POP_PORT}` | +| Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | +| Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | +| HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | +| XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | +| XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` From 897832db13a4f62dedbdcf8b94593782af22c901 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 11:23:49 +0100 Subject: [PATCH 060/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index ecf6dbf96..9cefa6697 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -44,9 +44,9 @@ We can help to correctly plan your setup as part of our support. Please check if any of mailcow's standard ports are open and not in use by other applications: ``` -ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' +ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' # or: -netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190' +netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' ``` !!! warning From af053eb146f81ee58392147f37b5f00d4a2a7678 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 12:29:55 +0100 Subject: [PATCH 061/288] Update firststeps-rp.md --- docs/firststeps-rp.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index c37bc2c01..3574c2767 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -43,11 +43,13 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work **Take care of highlighted lines.** -``` apache hl_lines="2 10 11 17 22 23 24 25 30 31" +``` apache hl_lines="2 5 6 12 13 19 22 23 26 27 28 29 34 35" ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* + ServerAlias xmpp_prefix_if_any.domain + ServerAlias *.xmpp_prefix_if_any.domain RewriteEngine on RewriteCond %{HTTPS} off @@ -63,6 +65,8 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* + ServerAlias xmpp_prefix_if_any.domain + ServerAlias *.xmpp_prefix_if_any.domain # You should proxy to a plain HTTP session to offload SSL processing ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000 @@ -97,13 +101,13 @@ Let's Encrypt will follow our rewrite, certificate requests will work fine. server { listen 80 default_server; listen [::]:80 default_server; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem; ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem; From a68fc8d0b88c2df46ec2e2c8c3efc6fd7a18d912 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 12 Feb 2021 15:45:35 +0100 Subject: [PATCH 062/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 9cefa6697..933440d5a 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -72,6 +72,7 @@ If you have a firewall in front of mailcow, please make sure that these ports ar | HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | | XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | | XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | +| XMPP (upload) | TCP | 5443 | ejabberd-mailcow | `${XMPP_HTTPS_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` From fa46f74de19c36fc105f07d06c23ce215a018cf3 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 13 Feb 2021 21:38:03 +0100 Subject: [PATCH 063/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 933440d5a..8ece0257c 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -44,9 +44,9 @@ We can help to correctly plan your setup as part of our support. Please check if any of mailcow's standard ports are open and not in use by other applications: ``` -ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' +ss -tlpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269|5443' # or: -netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269' +netstat -tulpn | grep -E -w '25|80|110|143|443|465|587|993|995|4190|5222|5269|5443' ``` !!! warning From 2c4b66814c8227ee6aaa24fff30cdb20cbb0ab92 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 18:01:51 +0100 Subject: [PATCH 064/288] [WIP] XMPP --- ...prem.md => third_party-exchange_onprem.md} | 0 ...d => third_party-mailpiler_integration.md} | 0 docs/u_e-xmpp-autoconfig.md | 1 + docs/u_e-xmpp-certs.md | 1 + docs/u_e-xmpp-enable.md | 1 + mkdocs.yml | 125 +++++++++--------- 6 files changed, 68 insertions(+), 60 deletions(-) rename docs/{u_e-exchange-onprem.md => third_party-exchange_onprem.md} (100%) rename docs/{u_e-mailpiler-integration.md => third_party-mailpiler_integration.md} (100%) create mode 100644 docs/u_e-xmpp-autoconfig.md create mode 100644 docs/u_e-xmpp-certs.md create mode 100644 docs/u_e-xmpp-enable.md diff --git a/docs/u_e-exchange-onprem.md b/docs/third_party-exchange_onprem.md similarity index 100% rename from docs/u_e-exchange-onprem.md rename to docs/third_party-exchange_onprem.md diff --git a/docs/u_e-mailpiler-integration.md b/docs/third_party-mailpiler_integration.md similarity index 100% rename from docs/u_e-mailpiler-integration.md rename to docs/third_party-mailpiler_integration.md diff --git a/docs/u_e-xmpp-autoconfig.md b/docs/u_e-xmpp-autoconfig.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-autoconfig.md @@ -0,0 +1 @@ +# TODO diff --git a/docs/u_e-xmpp-certs.md b/docs/u_e-xmpp-certs.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-certs.md @@ -0,0 +1 @@ +# TODO diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md new file mode 100644 index 000000000..464090415 --- /dev/null +++ b/docs/u_e-xmpp-enable.md @@ -0,0 +1 @@ +# TODO diff --git a/mkdocs.yml b/mkdocs.yml index 55f8d40e2..fb3da08a4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,90 +28,93 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' -- 'First Steps (optional)': - - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' +- 'Post-Installation tasks (optional)': - 'Advanced SSL': 'firststeps-ssl.md' - - 'Rspamd UI': 'firststeps-rspamd_ui.md' - - 'Reverse Proxy': 'firststeps-rp.md' - - 'SNAT': 'firststeps-snat.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' - - 'Relayhosts': 'firststeps-relayhost.md' - - 'Logging': 'firststeps-logging.md' - - 'Local MTA on Docker host': 'firststeps-local_mta.md' - - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - 'IP bindings': 'firststeps-ip_bindings.md' + - 'Local MTA on Docker host': 'firststeps-local_mta.md' + - 'Logging': 'firststeps-logging.md' + - 'Relayhosts': 'firststeps-relayhost.md' + - 'Reverse Proxy': 'firststeps-rp.md' + - 'Rspamd UI': 'firststeps-rspamd_ui.md' + - 'SNAT': 'firststeps-snat.md' + - 'Sync job migration': 'firststeps-sync_jobs_migration.md' + - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' -- 'Debugging & Troubleshooting': - - 'Introduction': debug.md - - 'Logs': 'debug-logs.md' - - 'Attach a Container': 'debug-attach_service.md' - - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' - - 'Remove Persistent Data': 'debug-rm_volumes.md' - - 'Common Problems': 'debug-common_problems.md' - - 'Admin login to SOGo': 'debug-admin_login_sogo.md' +- 'General Troubleshooting': + - 'Introduction': debug.md + - 'Logs': 'debug-logs.md' + - 'Attach a Container': 'debug-attach_service.md' + - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' + - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' + - 'Remove Persistent Data': 'debug-rm_volumes.md' + - 'Common Problems': 'debug-common_problems.md' + - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - 'Backup & Restore': - 'Helper script': - - 'Backup': 'b_n_r_backup.md' - - 'Restore': 'b_n_r_restore.md' + - 'Backup': 'b_n_r_backup.md' + - 'Restore': 'b_n_r_restore.md' - 'Manually': - - 'Maildir': 'u_e-backup_restore-maildir.md' - - 'MySQL': 'u_e-backup_restore-mysql.md' -- 'Usage & Examples': + - 'Maildir': 'u_e-backup_restore-maildir.md' + - 'MySQL': 'u_e-backup_restore-mysql.md' +- 'Manual/Guides/Examples': - 'mailcow UI': - - 'Configuration': 'u_e-mailcow_ui-config.md' - - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - - 'Pushover': 'u_e-mailcow_ui-pushover.md' - - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' - - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - - 'Tagging': 'u_e-mailcow_ui-tagging.md' - - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - - 'WebAuthn / FIDO2': 'u_e-fido2.md' + - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' + - 'Pushover': 'u_e-mailcow_ui-pushover.md' + - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' + - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' + - 'Tagging': 'u_e-mailcow_ui-tagging.md' + - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' - - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' - - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' + - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' + - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' + - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' + - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' - 'Unbound': - - 'Using an external DNS service': 'u_e-unbound-fwd.md' + - 'Using an external DNS service': 'u_e-unbound-fwd.md' - 'Dovecot': - - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - - 'FTS (Solr)': 'u_e-dovecot-fts.md' - - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' - - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' - - 'Move vmail volume': 'u_e-dovecot-vmail-volume.md' - - 'Public folders': 'u_e-dovecot-public_folder.md' - - 'Static master user': 'u_e-dovecot-static_master.md' + - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' + - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' + - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' + - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' + - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' + - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' + - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' + - 'Public folders': 'u_e-dovecot-public_folder.md' + - 'Static master user': 'u_e-dovecot-static_master.md' - 'Nginx': - - 'Custom sites': 'u_e-nginx.md' - - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' + - 'Custom sites': 'u_e-nginx.md' + - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' + - 'XMPP': + - 'Enable XMPP': 'u_e-xmpp-enable.md' + - 'Certificates': 'u_e-xmpp-certs.md' + - 'Autoconfig': 'u_e-xmpp-autoconfig.md' - 'Docker': - - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' + - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' + - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - 'Adjust Service Configurations': 'u_e-change_config.md' - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - - 'Mailpiler Integration': 'u_e-mailpiler-integration.md' - - 'Exchange Hybrid Setup': 'u_e-exchange-onprem.md' - 'Client Configuration': - 'Overview': 'client.md' - 'Android': 'client/client-android.md' - 'Apple macOS / iOS': 'client/client-apple.md' - 'eM Client': 'client/client-emclient.md' + - 'Gajim XMPP client': 'client/client-gajim_xmpp_client.md' - 'KDE Kontact': 'client/client-kontact.md' - 'Microsoft Outlook': 'client/client-outlook.md' - 'Mozilla Thunderbird': 'client/client-thunderbird.md' @@ -119,12 +122,14 @@ nav: - 'Windows Phone': 'client/client-windowsphone.md' - 'Manual configuration': 'client/client-manual.md' - 'Third party apps': - - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' - - 'Roundcube': 'third_party-roundcube.md' - - 'Portainer': 'third_party-portainer.md' - - 'Gogs': 'third_party-gogs.md' + - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' + - 'Gogs': 'third_party-gogs.md' + - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - 'Nextcloud': 'third_party-nextcloud.md' + - 'Portainer': 'third_party-portainer.md' + - 'Roundcube': 'third_party-roundcube.md' + - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: logo: 'images/logo.svg' extra: @@ -133,8 +138,8 @@ extra: accent: 'orange' social: - icon: fontawesome/solid/globe-americas - link: https://mailcow.email + link: https://mailcow.email - icon: fontawesome/brands/github-alt - link: https://github.com/mailcow + link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] From 960a66944a9f5adfd85f316dd74a779f107a5dd7 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 20:39:15 +0100 Subject: [PATCH 065/288] Fix build --- mkdocs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index fb3da08a4..b05d837ac 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -138,8 +138,8 @@ extra: accent: 'orange' social: - icon: fontawesome/solid/globe-americas - link: https://mailcow.email + link: https://mailcow.email - icon: fontawesome/brands/github-alt - link: https://github.com/mailcow + link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] From b8bf1b54cdb358aebf457d93a77ce13c4d415a00 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 14 Feb 2021 20:50:08 +0100 Subject: [PATCH 066/288] Fix sidebar width --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index b05d837ac..32c8ceebc 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,7 +28,7 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' -- 'Post-Installation tasks (optional)': +- 'Post Installation Tasks': - 'Advanced SSL': 'firststeps-ssl.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' - 'IP bindings': 'firststeps-ip_bindings.md' From f53af816ffc1bb9650041c2ff89d5fdcf34cd401 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 15 Feb 2021 21:01:34 +0100 Subject: [PATCH 067/288] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 32 ++++++++++++++------------------ 1 file changed, 14 insertions(+), 18 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 1de6f22b7..0d198c428 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -23,10 +23,9 @@ This example shows you a set of records for one domain managed by mailcow. Each ``` # Name Type Value mail IN A 1.2.3.4 -autodiscover IN CNAME mail -autoconfig IN CNAME mail - -@ IN MX 10 mail +autodiscover IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +autoconfig IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +@ IN MX 10 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` ## DKIM, SPF and DMARC @@ -35,7 +34,7 @@ In the example DNS zone file snippet below, a simple **SPF** TXT record is used ``` # Name Type Value -@ IN TXT "v=spf1 mx -all" +@ IN TXT "v=spf1 mx a -all" ``` It is highly recommended to create a **DKIM** TXT record in your mailcow UI and set the corresponding TXT record in your DNS records. Please refer to [OpenDKIM](http://www.opendkim.org) for further reading. @@ -58,21 +57,18 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ ``` # Name Type Priority Weight Port Value -_autodiscover._tcp IN SRV 0 1 443 mail.example.org. -_caldavs._tcp IN SRV 0 1 443 mail.example.org. +_autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN TXT "path=/SOGo/dav/" -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. +_carddavs._tcp IN SRV 0 1 443 Mail.example.org. (your ${MAILCOW_HOSTNAME}) _carddavs._tcp IN TXT "path=/SOGo/dav/" -_imap._tcp IN SRV 0 1 143 mail.example.org. -_imaps._tcp IN SRV 0 1 993 mail.example.org. -_pop3._tcp IN SRV 0 1 110 mail.example.org. -_pop3s._tcp IN SRV 0 1 995 mail.example.org. -_sieve._tcp IN SRV 0 1 4190 mail.example.org. -_smtps._tcp IN SRV 0 1 465 mail.example.org. -_submission._tcp IN SRV 0 1 587 mail.example.org. - - - +_imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_pop3._tcp IN SRV 0 1 110 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_pop3s._tcp IN SRV 0 1 995 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_sieve._tcp IN SRV 0 1 4190 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_smtps._tcp IN SRV 0 1 465 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_submission._tcp IN SRV 0 1 587 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` ## Testing From 30929db73a72041a73f07a1e6d7faae9837d239a Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 15 Feb 2021 21:29:45 +0100 Subject: [PATCH 068/288] Add XMPP --- docs/client/client-gajim_xmpp_client.md | 1 + docs/u_e-xmpp-autoconfig.md | 1 - docs/u_e-xmpp-certs.md | 1 - docs/u_e-xmpp-enable.md | 86 ++++++++++++++++++++++++- mkdocs.yml | 2 - 5 files changed, 86 insertions(+), 5 deletions(-) create mode 100644 docs/client/client-gajim_xmpp_client.md delete mode 100644 docs/u_e-xmpp-autoconfig.md delete mode 100644 docs/u_e-xmpp-certs.md diff --git a/docs/client/client-gajim_xmpp_client.md b/docs/client/client-gajim_xmpp_client.md new file mode 100644 index 000000000..85e6ff194 --- /dev/null +++ b/docs/client/client-gajim_xmpp_client.md @@ -0,0 +1 @@ +# WIP diff --git a/docs/u_e-xmpp-autoconfig.md b/docs/u_e-xmpp-autoconfig.md deleted file mode 100644 index 464090415..000000000 --- a/docs/u_e-xmpp-autoconfig.md +++ /dev/null @@ -1 +0,0 @@ -# TODO diff --git a/docs/u_e-xmpp-certs.md b/docs/u_e-xmpp-certs.md deleted file mode 100644 index 464090415..000000000 --- a/docs/u_e-xmpp-certs.md +++ /dev/null @@ -1 +0,0 @@ -# TODO diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 464090415..34bc3255a 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -1 +1,85 @@ -# TODO +XMPP is provided by ejabberd, which describes itself as robust, scalable and extensible XMPP Server. + +So first of all, thanks to ejabberd and its contributers! + +## Enable XMPP in mailcow + +To enable XMPP for a domain, you need to edit the given domain in mailcow UI: + +![Screen1](https://i.imgur.com/oLyHBke.png) + +The chosen prefix will be your XMPP domain for all XMPP-enabled users in mailcow, for example: + +- Mailbox cowboy@develcow.de will equal to Jabber ID cowboy@**xmpp_prefix**.develcow.de + +**The passwords for mail and XMPP are the same.** + +Before enabling XMPP for a domain, you should create two CNAME records in DNS: + +``` +# CNAMES +# Name Type Value +xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +*.xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) +``` + +These two CNAMEs are essential for acquiring a certificate. Please **do not** add "xmpp_prefix.domain.tld" as name to `ADDITIONAL_SAN`. + +Make sure your CNAMEs are correct. Enable XMPP for your domain now. + +If you enabled XMPP first and then added your DNS records there is no need to worry. You will just need to wait for ejabberd to automatically acquire the certificates or +simply restart ejabberd-mailcow to trigger the process immediately: `docker-compose restart ejabberd-mailcow`. + +Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI where you will find two more SRV records: + +![Screen2](https://i.imgur.com/IxlUZ7y.png) + +``` +# SRV records +# Name Type Priority Weight Port Value +_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) +``` + +There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. + +## ACL + +A domain administrator can be given the right to toggle XMPP access for domains and mailboxes, promoting users to XMPP administrators (WIP) and to change the prefix: + +![Screen3](https://i.imgur.com/OxKuDFU.png) + +## Verify certificates + +Once everything is setup, make sure ejabberd was able to acquire certificates: + +If you see a message similar to... + +``` +ejabberd-mailcow_1 | 2021-02-13 14:40:19.507956+01:00 [error] Failed to request certificate for im.example.org, pubsub.im.example.org and 3 more hosts: Challenge failed for domain conference.im.example.org: ACME server reported: DNS problem: NXDOMAIN looking up A for conference.im.example.org - check that a DNS record exists for this domain (error type: dns) +``` + +...you may need to recheck your DNS configuration or restart ejabberd-mailcow to restart the process in case of slow DNS propagation. + +Opening `https://xmpp_prefix.domain.tld:5443/upload` should point you to a 404 page with a valid certificate. + +## Why can't we use no prefix? + +It does not matter which server name we point our SRV to, Jabber will always rely on the domain given in a JID. We would need to acquire a certificate for the SLD `domain.tld`, which hardly anyone wants to point to its mail system. + +We are sorry for this circumstance. As soon as we implemented Servercows DNS API, this may be reconsidered. + +## My reverse proxy does not work anymore + +If your reverse proxy is configured to point to a site like `webmail.domain.tld` **which mailcow is not aware of** (as in MAILCOW_HOSTNAME does **not** match `webmail.domain.tld`), you may now be redirected to the default ejabberd Nginx site. + +That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. + +In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): + +``` +proxy_set_header Host MAILCOW_HOSTNAME; +# Instead of proxy_set_header Host $http_host; +``` + +Now you can use whatever name you like, as long mailcow receives a known "Host" header. diff --git a/mkdocs.yml b/mkdocs.yml index 32c8ceebc..fe0cb444b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -98,8 +98,6 @@ nav: - 'SOGo': 'u_e-sogo.md' - 'XMPP': - 'Enable XMPP': 'u_e-xmpp-enable.md' - - 'Certificates': 'u_e-xmpp-certs.md' - - 'Autoconfig': 'u_e-xmpp-autoconfig.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From 0465031e0da268c4b55baa8cf0566da44f9038c2 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 15 Feb 2021 21:49:51 +0100 Subject: [PATCH 069/288] Some changes --- docs/u_e-xmpp-enable.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 34bc3255a..1cc73ed78 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -8,11 +8,12 @@ To enable XMPP for a domain, you need to edit the given domain in mailcow UI: ![Screen1](https://i.imgur.com/oLyHBke.png) -The chosen prefix will be your XMPP domain for all XMPP-enabled users in mailcow, for example: +The chosen prefix will be used to derive your XMPP login. -- Mailbox cowboy@develcow.de will equal to Jabber ID cowboy@**xmpp_prefix**.develcow.de +A prefix **xmpp_prefix** for the mailbox user `cowboy@develcow.de` would equal to the JID `cowboy@xmpp_prefix.develcow.de`. -**The passwords for mail and XMPP are the same.** +!!! info + The login passwords for mail and XMPP are the same. XMPP users are authenticated against mailcow. Before enabling XMPP for a domain, you should create two CNAME records in DNS: @@ -36,9 +37,9 @@ Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI ``` # SRV records -# Name Type Priority Weight Port Value -_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) -_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) +# Name Type Value +_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) +_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) ``` There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. From bd4a1e23c78ac87607b0259163c6fce3b376bceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:00:39 +0100 Subject: [PATCH 070/288] Update u_e-xmpp-enable.md --- docs/u_e-xmpp-enable.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 1cc73ed78..3d4dc0adf 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -76,6 +76,18 @@ If your reverse proxy is configured to point to a site like `webmail.domain.tld` That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. +### Method 1 + +A more simple approach is defining `ADDITIONAL_SERVER_NAMES` in `mailcow.conf`: + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld +``` + +Run `docker-compose up -d` to apply. + +### Method 2 + In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): ``` From 8e95131806f7fc1df403bfc3badde329c0be61e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:04:22 +0100 Subject: [PATCH 071/288] Update firststeps-rp.md --- docs/firststeps-rp.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 3574c2767..1e1d00050 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -252,3 +252,13 @@ dovecot_c=$(docker ps -qaf name=dovecot-mailcow) nginx_c=$(docker ps -qaf name=nginx-mailcow) docker restart ${postfix_c} ${dovecot_c} ${nginx_c} ``` + +### Adding additional server names for mailcow UI + +If you plan to use a server name that is not `MAILCOW_HOSTNAME` in your reverse proxy, make sure to populate that name in mailcow.conf via `ADDITIONAL_SERVER_NAMES` first. Names must be separated by commas and **must not** contain spaces. If you skip this step, mailcow may respond to your reverse proxy with an incorrect site. + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld +``` + +Run `docker-compose up -d` to apply. From 1c275581f673485a947964a05464050010ba88c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 15:06:48 +0100 Subject: [PATCH 072/288] Update firststeps-ssl.md --- docs/firststeps-ssl.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/firststeps-ssl.md b/docs/firststeps-ssl.md index 8fc2a1656..61626c904 100644 --- a/docs/firststeps-ssl.md +++ b/docs/firststeps-ssl.md @@ -31,6 +31,17 @@ A wildcard name like `smtp.*` will try to obtain a smtp.DOMAIN_NAME SAN for each Run `docker-compose up -d` to recreate affected containers automatically. +!!! info + Using names other name `MAILCOW_HOSTNAME` to access the mailcow UI may need further configuration. + +If you plan to use a server name that is not `MAILCOW_HOSTNAME` to access the mailcow UI (for example by adding `mail.*` to `ADDITIONAL_SAN` make sure to populate that name in mailcow.conf via `ADDITIONAL_SERVER_NAMES`. Names must be separated by commas and **must not** contain spaces. If you skip this step, mailcow may respond with an incorrect site. + +``` +ADDITIONAL_SERVER_NAMES=webmail.domain.tld,other.example.tld +``` + +Run `docker-compose up -d` to apply. + ### Force renewal To force a renewal, you need to create a file named `force_renew` and restart the `acme-mailcow` container: From ab2207634b136f467000cd9f78db7d2c3cf434c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 16:34:13 +0100 Subject: [PATCH 073/288] Update u_e-xmpp-enable.md --- docs/u_e-xmpp-enable.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 3d4dc0adf..9d2f8c162 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -2,6 +2,35 @@ XMPP is provided by ejabberd, which describes itself as robust, scalable and ext So first of all, thanks to ejabberd and its contributers! +## FAQs + +- **Are messages stored on the server?** + +Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: + +``` + mod_mam: + clear_archive_on_room_destroy: true + default: never + compress_xml: true + request_activates_archiving: true +``` + +- **Are uploaded files stored on the server?** + +Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. + +The retention policy saves them for 30 days: + +``` + mod_http_upload_quota: + max_days: 30 +``` + +- **Are messages stored when a JID is offline?** + +Yes, up to 1000 messages are stored. + ## Enable XMPP in mailcow To enable XMPP for a domain, you need to edit the given domain in mailcow UI: From 11bf5ccc4eb4c2122def45ffa1a0a9c601143439 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 16 Feb 2021 16:40:46 +0100 Subject: [PATCH 074/288] Update mkdocs.yml --- mkdocs.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index fe0cb444b..455d94657 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -96,8 +96,7 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': - - 'Enable XMPP': 'u_e-xmpp-enable.md' + - 'XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From c54afa99ab13f06f9287d8898d36b1d0f482a3d5 Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 16 Feb 2021 16:55:54 +0100 Subject: [PATCH 075/288] More XMPP updates --- docs/u_e-xmpp-enable.md | 29 ----------------------------- docs/u_e-xmpp-faq.md | 38 ++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 2 ++ 3 files changed, 40 insertions(+), 29 deletions(-) create mode 100644 docs/u_e-xmpp-faq.md diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md index 9d2f8c162..3d4dc0adf 100644 --- a/docs/u_e-xmpp-enable.md +++ b/docs/u_e-xmpp-enable.md @@ -2,35 +2,6 @@ XMPP is provided by ejabberd, which describes itself as robust, scalable and ext So first of all, thanks to ejabberd and its contributers! -## FAQs - -- **Are messages stored on the server?** - -Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: - -``` - mod_mam: - clear_archive_on_room_destroy: true - default: never - compress_xml: true - request_activates_archiving: true -``` - -- **Are uploaded files stored on the server?** - -Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. - -The retention policy saves them for 30 days: - -``` - mod_http_upload_quota: - max_days: 30 -``` - -- **Are messages stored when a JID is offline?** - -Yes, up to 1000 messages are stored. - ## Enable XMPP in mailcow To enable XMPP for a domain, you need to edit the given domain in mailcow UI: diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md new file mode 100644 index 000000000..c4936c607 --- /dev/null +++ b/docs/u_e-xmpp-faq.md @@ -0,0 +1,38 @@ +## FAQ + +- **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** + +No, there is not. But you don't need one either. + +The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started. + +As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. + +ejabberd is **very** light on resources, you may want to give it a try. + +- **Are messages stored on the server?** + +Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: + +``` + mod_mam: + clear_archive_on_room_destroy: true + default: never + compress_xml: true + request_activates_archiving: true +``` + +- **Are uploaded files stored on the server?** + +Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. + +The retention policy saves them for 30 days: + +``` + mod_http_upload_quota: + max_days: 30 +``` + +- **Are messages stored when a JID is offline?** + +Yes, up to 1000 messages are stored. diff --git a/mkdocs.yml b/mkdocs.yml index 455d94657..7796dd21f 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -97,6 +97,8 @@ nav: - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - 'XMPP': 'u_e-xmpp-enable.md' + - 'FAQ': 'u_e-xmpp-faq.md' + - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' From 2598bc45d4ebb385b060ee35d714ab7cce874f8b Mon Sep 17 00:00:00 2001 From: andryyy Date: Tue, 16 Feb 2021 21:32:37 +0100 Subject: [PATCH 076/288] More FAQs for XMPP --- docs/u_e-xmpp-faq.md | 40 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 39 insertions(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index c4936c607..277fa4818 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -1,5 +1,7 @@ ## FAQ +Please find the most frequently asked questions with their corresponding configuration in `data/conf/ejabberd/ejabberd.yml` (if any). + - **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** No, there is not. But you don't need one either. @@ -35,4 +37,40 @@ The retention policy saves them for 30 days: - **Are messages stored when a JID is offline?** -Yes, up to 1000 messages are stored. +Yes, up to 1000 messages are stored for "normal" users and administrators: + +``` +shaper_rules: + max_user_offline_messages: + 1000: admin + 1000: all +``` + +- **Are messages written in group chats stored?** + +No, messages are not stored: + +``` + mod_muc: + default_room_options: + mam: false +``` + +- **Are group chats persistent when the last participant leaves?** + +No, they will vanish: + +``` + mod_muc: + default_room_options: + persistent: false +``` + +- **How many client sessions can be open at the same time?** + +10 sessions are allowed per session. + +``` +shaper_rules: + max_user_sessions: 10 +``` From 3119ad054b50a9ca7df8e979a827a272e9599997 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 18 Feb 2021 08:49:34 +0100 Subject: [PATCH 077/288] fix --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 7796dd21f..c8b6933e6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -96,7 +96,7 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': 'u_e-xmpp-enable.md' + - 'XMPP': - 'FAQ': 'u_e-xmpp-faq.md' - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': From 9e1239dd271293f395fd81cc71ddd19a58a206e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Malte=20M=C3=BCns?= Date: Wed, 3 Mar 2021 11:27:09 +0100 Subject: [PATCH 078/288] [TASK] Update build-thunderbird-plugins.sh to make it compatible with restructured sogo connector for thunderbird v78 --- docs/download/build-thunderbird-plugins.sh | 29 +++++++++++----------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/docs/download/build-thunderbird-plugins.sh b/docs/download/build-thunderbird-plugins.sh index 27f2e9ded..35ff84a26 100755 --- a/docs/download/build-thunderbird-plugins.sh +++ b/docs/download/build-thunderbird-plugins.sh @@ -10,27 +10,28 @@ fi cd $(dirname $0) -wget -O connector.tar.gz https://github.com/inverse-inc/sogo-connector/archive/sogo-connector-68.0.1.tar.gz - -mkdir -p connector -tar --strip-components=1 -C connector -xf connector.tar.gz +# we have to use the master branch, because there is no tag or release at the moment +wget -O connector.zip https://github.com/inverse-inc/sogo-connector/archive/master.zip +unzip connector.zip # build custom connector while read DOMAINS; do for DOMAIN in $DOMAINS; do echo "Building SOGo Connector for $DOMAIN hosted on $MAILHOST" - cd connector + cd sogo-connector-master mkdir -p custom/${DOMAIN} cp -r custom/sogo-demo/* custom/${DOMAIN}/ - sed -i "s/http:\/\/sogo-demo\.inverse\.ca/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf - sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&/g" custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf - echo > custom/${DOMAIN}/defaults/preferences/site.js - echo 'pref("sogo-connector.autocomplete.server.urlid", "'${DOMAIN}'");' > custom/${DOMAIN}/defaults/preferences/site.js - echo 'pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/defaults/preferences/site.js - #sed -i 's/<\/Seq>/
  • <\/li>
  • <\/li><\/Seq>/g' custom/${DOMAIN}/chrome/content/sogo-connector/global/extensions.rdf + sed -i "s/https:\/\/demo\.sogo\.nu/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&/g" chrome/content/sogo-connector/global/extensions.rdf + # adjust sogo-connector.autocomplete.server.urlid + sed -i "s/\"public\"/\"${MAILHOST}\"/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + # remove wrong timezone setting + sed -i 's/char_pref(\"calendar\.timezone\.local\", \"\/mozilla\.org\/20070129_1\/America\/Montreal\");//g' custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js + + echo 'bool_pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js make build=${DOMAIN} - CONNECTOR_VER=$(grep em:version install.rdf | awk -F '"' '{print $2}') - CONNECTOR_MIN_VER=$(grep em:minVersion install.rdf | grep -Eo '[0-9\.]+' | head -n 1) + CONNECTOR_VER=$(grep \"version\" manifest.json | awk -F '"' '{print $4}') + CONNECTOR_MIN_VER=$(grep strict_min_version manifest.json | grep -Eo '[0-9\.]+' | head -n 1) mv sogo-connector-*.xpi ../sogo-connector-${CONNECTOR_VER}-${DOMAIN}.xpi cd .. done @@ -57,4 +58,4 @@ echo "sogo-connector@inverse.ca;${CONNECTOR_VER};sogo-connector-${CONNECTOR_VER} # echo "sieve@mozdev.org;${SIEVE_VER};sieve-${SIEVE_VER}.xpi" >> version.csv # echo "imap-acl@sirphreak.com;${IMAP_ACL_VER};imap_acl_extension-${IMAP_ACL_VER}-tb.xpi" >> version.csv -rm -rf connector *.tar.gz +rm -rf sogo-connector-master *.zip From 6ab9d4f72f6df59d00f0f73b91b62ef93c183958 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:06:39 +0100 Subject: [PATCH 079/288] Is now u_e-fido2.md --- docs/model-fido2.md | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 docs/model-fido2.md diff --git a/docs/model-fido2.md b/docs/model-fido2.md deleted file mode 100644 index 8b0f58e86..000000000 --- a/docs/model-fido2.md +++ /dev/null @@ -1,23 +0,0 @@ -## How is UV handled in mailcow? - -The UV flag (as in "user verification") enforces WebAuthn to verify the user before it allows access to the key (think of a PIN). We don't enforce but prefer UV to allow logins via iOS and NFC (YubiKey). - -## Login and key processing - -mailcow uses **client-side key processing**. We ask the authenticator (i.e. YubiKey) to save the registration in its memory. - -A user does not need to enter a username. The available credentials - if any - will be shown to the user when selecting the "key login" via mailcow UI login. - -When calling the login process, the authenticator is not given any credential IDs. This will force it to lookup credentials in its own memory. - -## Who can use WebAuthn to login to mailcow? - -As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. - -## iOS problems - -Please use a desktop computer to register your key with your mailcow account. - -The process was tested using a YubiKey with Chrome on Windows. When registering a new, empty key, you will be prompted for a PIN for the new YubiKey. Once set and confirmed, the credentials are stored on the key. Using it with iOS works flawless now. - -iOS seems not to be able to set a PIN on the device on first use, so please use a desktop computer for this step. From 92d5997908a67c797d004dc6bcaa486a0af5af5d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:07:37 +0100 Subject: [PATCH 080/288] Add redirects for pages --- .travis.yml | 2 +- mkdocs.yml | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 4f65a58ec..78cdde8a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,6 +1,6 @@ language: python install: -- pip install mkdocs-material pygments +- pip install mkdocs-material pygments mkdocs-redirects script: - mkdocs build --verbose --clean deploy: diff --git a/mkdocs.yml b/mkdocs.yml index c8b6933e6..0abace861 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -142,3 +142,7 @@ extra: link: https://github.com/mailcow extra_css: [extra.css] extra_javascript: [clients.js] +plugins: + - redirects: + redirect_maps: + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file From 2f02b0475840a160c90df8aa052d6cdb64375fb6 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 18:58:54 +0100 Subject: [PATCH 081/288] Add search plugin to mkdocs.yml --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 0abace861..47035ce7d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -143,6 +143,7 @@ extra: extra_css: [extra.css] extra_javascript: [clients.js] plugins: + - search - redirects: redirect_maps: 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file From bc701f788e707790f52d1c51fb743f6e929c06c4 Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 12 Mar 2021 21:55:33 +0100 Subject: [PATCH 082/288] Update .travis.yml Use cleanup because skip_cleanup is deprecated --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 78cdde8a9..d4f109e05 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ script: - mkdocs build --verbose --clean deploy: provider: pages - skip_cleanup: true + cleanup: false github_token: $GITHUB_TOKEN local_dir: site name: $BOT_NAME From d8cbe9476f0df7fb5f2f8803a4fc551a480c1a17 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 12 Mar 2021 22:08:48 +0100 Subject: [PATCH 083/288] Revert "Update .travis.yml" This reverts commit bc701f788e707790f52d1c51fb743f6e929c06c4. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index d4f109e05..78cdde8a9 100644 --- a/.travis.yml +++ b/.travis.yml @@ -5,7 +5,7 @@ script: - mkdocs build --verbose --clean deploy: provider: pages - cleanup: false + skip_cleanup: true github_token: $GITHUB_TOKEN local_dir: site name: $BOT_NAME From 729098734cb9f70463989525e92d428b46d31a2e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 17 Mar 2021 16:51:45 +0100 Subject: [PATCH 084/288] Update firststeps-logging.md --- docs/firststeps-logging.md | 43 +++++++++++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/docs/firststeps-logging.md b/docs/firststeps-logging.md index 8c758a436..2f12c33fb 100644 --- a/docs/firststeps-logging.md +++ b/docs/firststeps-logging.md @@ -26,6 +26,8 @@ Redis keys will only hold logs from applications and filter out system messages ### Logging drivers +#### Via docker-compose.override.yml + Here is the good news: Since Docker has some great logging drivers, you can integrate mailcow: dockerized into your existing logging environment with ease. Create a `docker-compose.override.yml` and add, for example, this block to use the "gelf" logging plugin for `postfix-mailcow`: @@ -40,7 +42,46 @@ services: gelf-address: "udp://graylog:12201" ``` -If you want to change the logging driver globally, edit Dockers daemon configuration file `/etc/docker/daemon.json` and restart the Docker service: +Another example for **Syslog**: + +``` +version: '2.1' +services: + + postfix-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + + dovecot-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + + rspamd-mailcow: # or any other + logging: + driver: "syslog" + options: + syslog-address: "udp://127.0.0.1:514" + syslog-facility: "local3" + +# For Rsyslog only: +# To move local3 input to /var/log/mailcow.log and stop processing, create a file "/etc/rsyslog.d/docker.conf": + +local3.* /var/log/mailcow.logs +& ~ + +# Restart rsyslog afterwards. + +``` + +#### via daemon.json (globally) + +If you want to **change the logging driver globally**, edit Dockers daemon configuration file `/etc/docker/daemon.json` and restart the Docker service: ``` { From 3022fd332097f48e24a3c2ed15adc51691414ad6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sun, 21 Mar 2021 20:27:51 +0100 Subject: [PATCH 085/288] Update index.md --- docs/index.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/index.md b/docs/index.md index 4fe59848b..f199d0793 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,6 +6,10 @@ Please consider a support contract for a small monthly fee at [Servercow EN](htt If you are super awesome and would like to support without a contract, you can get a SAL license that confirms your awesomeness (a flexible one-time payment) at [Servercow EN](https://www.servercow.de/mailcow?lang=en#sal)/[Servercow DE](https://www.servercow.de/mailcow#sal). +₿ If you like anonymous donations, please consider a Bitcoin donation via **1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx** + +![grafik](https://user-images.githubusercontent.com/2972950/111918092-beb7d680-8a83-11eb-9a98-1fe43d3e0deb.png) + ## Get support There are two ways to achieve support for your mailcow installation. From b2e3599d0baf8b686edf1cd6b8e7789bedae0b54 Mon Sep 17 00:00:00 2001 From: fabreg Date: Wed, 31 Mar 2021 22:59:12 +0200 Subject: [PATCH 086/288] Update third_party-gitea.md Added a step needed if you use http to https redirect --- docs/third_party-gitea.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/third_party-gitea.md b/docs/third_party-gitea.md index 92e20fcae..62f8bad42 100644 --- a/docs/third_party-gitea.md +++ b/docs/third_party-gitea.md @@ -33,11 +33,13 @@ GITEA_SSH_PORT=127.0.0.1:4000 5\. Run `docker-compose up -d` to bring up the gitea container and run `docker-compose restart nginx-mailcow` afterwards. -6\. Open `http://${MAILCOW_HOSTNAME}/gitea/`, for example `http://mx.example.org/gitea/`. For database details set `mysql` as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password. +6\. If you forced mailcow to https, execute step 9 and restart gitea with `docker-compose restart gitea-mailcow` . Go head with step 7 (Remember to use https instead of http, `https://mx.example.org/gitea/` -7\. Once the installation is complete, login as admin and set "settings" -> "authorization" -> "enable SMTP". SMTP Host should be `postfix` with port `587`, set `Skip TLS Verify` as we are using an unlisted SAN ("postfix" is most likely not part of your certificate). +7\. Open `http://${MAILCOW_HOSTNAME}/gitea/`, for example `http://mx.example.org/gitea/`. For database details set `mysql` as database host. Use the value of DBNAME found in mailcow.conf as database name, DBUSER as database user and DBPASS as database password. -8\. Create `data/gitea/gitea/conf/app.ini` and set following values. You can consult [gitea cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for their meaning and other possible values. +8\. Once the installation is complete, login as admin and set "settings" -> "authorization" -> "enable SMTP". SMTP Host should be `postfix` with port `587`, set `Skip TLS Verify` as we are using an unlisted SAN ("postfix" is most likely not part of your certificate). + +9\. Create `data/gitea/gitea/conf/app.ini` and set following values. You can consult [gitea cheat sheet](https://docs.gitea.io/en-us/config-cheat-sheet/) for their meaning and other possible values. ``` [server] @@ -49,4 +51,4 @@ SSH_PORT = 4000 ROOT_URL = https://mx.example.org/gitea/ ``` -9\. Restart gitea with `docker-compose restart gitea-mailcow`. Your users should be able to login with mailcow managed accounts. +10\. Restart gitea with `docker-compose restart gitea-mailcow`. Your users should be able to login with mailcow managed accounts. From a3f0507573c9b0fecc3b0f2582c0ed2318ef6623 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 1 Apr 2021 10:51:03 +0200 Subject: [PATCH 087/288] Update index.md --- docs/index.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/index.md b/docs/index.md index f199d0793..4fe59848b 100644 --- a/docs/index.md +++ b/docs/index.md @@ -6,10 +6,6 @@ Please consider a support contract for a small monthly fee at [Servercow EN](htt If you are super awesome and would like to support without a contract, you can get a SAL license that confirms your awesomeness (a flexible one-time payment) at [Servercow EN](https://www.servercow.de/mailcow?lang=en#sal)/[Servercow DE](https://www.servercow.de/mailcow#sal). -₿ If you like anonymous donations, please consider a Bitcoin donation via **1E5rgzgA1sS3QH7r1ToWxRC3GEavfsGMrx** - -![grafik](https://user-images.githubusercontent.com/2972950/111918092-beb7d680-8a83-11eb-9a98-1fe43d3e0deb.png) - ## Get support There are two ways to achieve support for your mailcow installation. From 7cafbbae1b9581a226919a97a0f9c1b77408b349 Mon Sep 17 00:00:00 2001 From: Adriano Date: Thu, 1 Apr 2021 22:26:28 +0200 Subject: [PATCH 088/288] Add reference to "SOGoUIxDebugEnabled = YES" --- docs/u_e-sogo.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 909e10918..3fde37361 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -1,10 +1,15 @@ SOGo is used for accessing your mails via a webbrowser, adding and sharing your contacts or calendars. For a more in-depth documentation on SOGo please visit its [own documentation](http://wiki.sogo.nu/). -## Change theme +## Apply custom SOGo theme mailcow builds after 28 January 2021 can change SOGo's theme by editing `data/conf/sogo/custom-theme.js`. -Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. -After you updated said file you need to restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. +Please check the AngularJS Material [intro](https://material.angularjs.org/latest/Theming/01_introduction) and [documentation](https://material.angularjs.org/latest/Theming/03_configuring_a_theme) as well as the [material style guideline](https://material.io/archive/guidelines/style/color.html#color-color-palette) to learn how this works. + +You can use the provided `custom-theme.js` as an example starting point by removing the comments. +After you modified `data/conf/sogo/custom-theme.js` and made changes to your new SOGo theme you need to + +* edit `data/conf/sogo/sogo.conf` and append/set `SOGoUIxDebugEnabled = YES;` +* restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. ## Reset to SOGo default theme Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` @@ -19,9 +24,9 @@ Find in `data/conf/sogo/custom-theme.js`: 'hue-3': 'A700' }) .accentPalette('green', { - 'default': '600', // background color of fab buttons + 'default': '600', // background color of fab buttons and login screen 'hue-1': '300', // background color of center list toolbar - 'hue-2': '300', + 'hue-2': '300', // highlight color for selected mail and current day calendar 'hue-3': 'A700' }) .backgroundPalette('frost-grey'); From 15db9aba298fd19342c23ab7cfbd2397d5a0ea4b Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 10 Apr 2021 11:22:36 +0200 Subject: [PATCH 089/288] Remove "Untrust RFC1918" --- docs/firststeps-trust_networks.md | 11 +++++++++++ mkdocs.yml | 4 ++-- 2 files changed, 13 insertions(+), 2 deletions(-) create mode 100644 docs/firststeps-trust_networks.md diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md new file mode 100644 index 000000000..e12dd9dfb --- /dev/null +++ b/docs/firststeps-trust_networks.md @@ -0,0 +1,11 @@ +Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. + +To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: + +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +``` + +Per default we use "mynetworks_style = subnet" to only include local networks we are part of. diff --git a/mkdocs.yml b/mkdocs.yml index 47035ce7d..6da9afd31 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,7 +39,7 @@ nav: - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Untrust RFC 1918': 'firststeps-rfc-1918.md' + - 'Add trsteded networks': 'firststeps-trust_networks.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' @@ -146,4 +146,4 @@ plugins: - search - redirects: redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' \ No newline at end of file + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From 332a07c95a8008021de68cf89f2314b19d8a83da Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 10 Apr 2021 11:26:03 +0200 Subject: [PATCH 090/288] Remove "Untrust RFC1918" --- docs/firststeps-rfc-1918.md | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 docs/firststeps-rfc-1918.md diff --git a/docs/firststeps-rfc-1918.md b/docs/firststeps-rfc-1918.md deleted file mode 100644 index d99fbb5c0..000000000 --- a/docs/firststeps-rfc-1918.md +++ /dev/null @@ -1,11 +0,0 @@ -Per default, mailcow considers all private RFC1918 networks (i.e. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) as trusted. Though it is reasonable in most cases, you may want to restrict this setting under certain circumstances. In particular, if you are using some kind of reverse proxy for SMTP TCP ports. If your reverse proxy host is located in a private net, mailcow will consider all traffic from it as trusted, which may result in an open relay. - -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. - -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. - -The default values for those variables - `172.22.1.0/24` and `fd4d:6169:6c63:6f77::/64` - would result in the following, minimal configuration: - -``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 -``` From 67a5bec516d6b7593ee9d4c578094f57489f053d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Apr 2021 22:36:25 +0200 Subject: [PATCH 091/288] Add ejabberd + sort lists --- docs/index.md | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/docs/index.md b/docs/index.md index 4fe59848b..c54fb769d 100644 --- a/docs/index.md +++ b/docs/index.md @@ -64,29 +64,36 @@ The integrated **mailcow UI** allows administrative work on your mail server ins mailcow: dockerized comes with multiple containers linked in one bridged network. Each container represents a single application. -- [Dovecot](https://www.dovecot.org/) +- [ACME](https://letsencrypt.org/) - [ClamAV](https://www.clamav.net/) (optional) -- [Solr](http://lucene.apache.org/solr/) (optional) -- [Oletools](https://github.com/decalage2/oletools) via [Olefy](https://github.com/HeinleinSupport/olefy) -- [Memcached](https://www.memcached.org/) -- [Redis](https://redis.io/) +- [Dovecot](https://www.dovecot.org/) +- [ejabberd](https://www.ejabberd.im/) - [MariaDB](https://mariadb.org/) -- [Unbound](https://unbound.net/) +- [Memcached](https://www.memcached.org/) +- [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) +- [Nginx](https://nginx.org/) +- [Oletools](https://github.com/decalage2/oletools) via [Olefy](https://github.com/HeinleinSupport/olefy) - [PHP](https://php.net/) - [Postfix](http://www.postfix.org/) -- [ACME](https://letsencrypt.org/) -- [Nginx](https://nginx.org/) +- [Redis](https://redis.io/) - [Rspamd](https://www.rspamd.com/) - [SOGo](https://sogo.nu/) -- [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) +- [Solr](http://lucene.apache.org/solr/) (optional) +- [Unbound](https://unbound.net/) - A Watchdog to provide basic monitoring **Docker volumes** to keep dynamic data - take care of them! -- vmail-vol-1 -- solr-vol-1 -- redis-vol-1 -- mysql-vol-1 -- rspamd-vol-1 -- postfix-vol-1 - crypt-vol-1 +- mysql-socket-vol-1 +- mysql-vol-1 +- postfix-vol-1 +- redis-vol-1 +- rspamd-vol-1 +- sogo-userdata-backup-vol-1 +- sogo-web-vol-1 +- solr-vol-1 +- vmail-index-vol-1 +- vmail-vol-1 +- xmpp-upload-vol-1 +- xmpp-vol-1 From 0cb86a87d0df676719e53428b26ca965c086db1d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Apr 2021 22:37:10 +0200 Subject: [PATCH 092/288] fix typo --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6da9afd31..328ea89d4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -39,7 +39,7 @@ nav: - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Add trsteded networks': 'firststeps-trust_networks.md' + - 'Add trusted networks': 'firststeps-trust_networks.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' From 32f5c3158377a2658dbd46e0a16f737f258ee894 Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Fri, 16 Apr 2021 19:36:22 -0400 Subject: [PATCH 093/288] Third-party: Borgmatic Backup This guide describes setting up automatic recurring backups using borgmatic. This is a good alternative to juggling tar archives. Signed-off-by: Felix Kaechele --- docs/third_party-borgmatic.md | 247 ++++++++++++++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 248 insertions(+) create mode 100644 docs/third_party-borgmatic.md diff --git a/docs/third_party-borgmatic.md b/docs/third_party-borgmatic.md new file mode 100644 index 000000000..4d9de3d01 --- /dev/null +++ b/docs/third_party-borgmatic.md @@ -0,0 +1,247 @@ +# Borgmatic Backup + +## Introduction + +Borgmatic is a great way to run backups on your Mailcow setup as it securely encrypts your data and is extremely easy to +set up. + +Due to it's deduplication capabilities you can store a great number of backups without wasting large amounts of disk +space. This allows you to run backups in very short intervals to ensure minimal data loss when the need arises to +recover data from a backup. + +This document guides you through the process to enable continuous backups for mailcow with borgmatic. The borgmatic +functionality is provided by the [borgmatic Docker image by b3vis](https://github.com/b3vis/docker-borgmatic). Check out +the `README` in that repository to find out about the other options (such as push notifications) that are available. +This guide only covers the basics. + +## Setting up borgmatic + +### Create or amend `docker-compose.override.yml` + +In the mailcow-dockerized root folder create or edit `docker-compose.override.yml` and insert the following +configuration: + +```yaml +version: '2.1' +services: + borgmatic-mailcow: + image: b3vis/borgmatic + restart: always + dns: ${IPV4_NETWORK:-172.22.1}.254 + volumes: + - vmail-vol-1:/mnt/source/vmail:ro + - mysql-socket-vol-1:/var/run/mysqld/:z + - ./data/conf/borgmatic/etc:/etc/borgmatic.d:Z + - ./data/conf/borgmatic/state:/root/.config/borg:Z + - ./data/conf/borgmatic/ssh:/root/.ssh:Z + environment: + - TZ=${TZ} + - BORG_PASSPHRASE=YouBetterPutSomethingRealGoodHere + networks: + mailcow-network: + aliases: + - borgmatic +``` + +Ensure that you change the `BORG_PASSPHRASE` to a secure passphrase of your choosing. + +For security reasons we mount the maildir as read-only. If you later want to restore data you will need to remove +the `ro` flag prior to restoring the data. This is described in the section on restoring backups. + +### Create `data/conf/borgmatic/etc/config.yaml` + +Next, we need to create the borgmatic configuration. + +```shell +source mailcow.conf +cat < data/conf/borgmatic/etc/config.yaml +location: + source_directories: + - /mnt/source + repositories: + - user@rsync.net:mailcow + remote_path: borg1 + +retention: + keep_hourly: 24 + keep_daily: 7 + keep_weekly: 4 + keep_monthly: 6 + +hooks: + mysql_databases: + - name: ${DBNAME} + username: ${DBUSER} + password: ${DBPASS} + options: --default-character-set=utf8mb4 +EOF +``` + +Creating the file in this way ensures the correct MySQL credentials are pulled in from `mailcow.conf`. + +This file is a minimal example for using borgmatic with an account `user` on the cloud storage provider `rsync.net` for +a repository called `mailcow` (see `repositories` setting). It will backup both the maildir and MySQL database, which is +all you should need to restore your mailcow setup after an incident. The retention settings will keep one archive for +each hour of the past 24 hours, one per day of the week, one per week of the month and one per month of the past half +year. + +Check the [borgmatic documentation](https://torsion.org/borgmatic/) on how to use other types of repositories or +configuration options. If you choose to use a local filesystem as a backup destination make sure to mount it into the +container. The container defines a volume called `/mnt/borg-repository` for this purpose. + +!!! note + If you do not use rsync.net you can most likely drop the `remote_path` element from your config. + +### Create a crontab + +Create a new text file in `data/conf/borgmatic/etc/crontab.txt` with the following content: + +``` +14 * * * * PATH=$PATH:/usr/bin /usr/bin/borgmatic --stats -v 0 2>&1 +``` + +This file expects crontab syntax. The example shown here will trigger the backup to run every hour at 14 minutes past +the hour and log some nice stats at the end. + +### Place SSH keys in folder + +Place the SSH keys you intend to use for remote repository connections in `data/conf/borgmatic/ssh`. OpenSSH expects the +usual `id_rsa`, `id_ed25519` or similar to be in this directory. Ensure the file is `chmod 600` and not world readable +or OpenSSH will refuse to use the SSH key. + +### Bring up the container + +For the next step we need the container to be up and running in a configured state. To do that run: + +```shell +docker-compose up -d +``` + +### Initialize the repository + +By now your borgmatic container is up and running, but the backups will currently fail due to the repository not being +initialized. + +To initialize the repository run: + +```shell +docker-compose exec borgmatic-mailcow borgmatic init --encryption repokey-blake2 +``` + +You will be asked you to authenticate the SSH host key of your remote repository server. See if it matches and confirm +the prompt by entering `yes`. The repository will be initialized with the passphrase you set in the `BORG_PASSPHRASE` +environment variable earlier. + +When using any of the `repokey` encryption methods the encryption key will be stored in the repository itself and not on +the client, so there is no further action required in this regard. If you decide to use a `keyfile` instead of +a `repokey` make sure you export the key and back it up separately. Check the [Exporting Keys](#exporting-keys) section +for how to retrieve the key. + +### Restart container + +Now that we finished configuring and initializing the repository restart the container to ensure it is in a defined +state: + +```shell +docker-compose restart borgmatic-mailcow +``` + +## Restoring from a backup + +Restoring a backup assumes you are starting off with a fresh installation of mailcow, and you currently do not have +any custom data in your maildir or your mailcow database. + +### Restore maildir + +!!! warning + Doing this will overwrite files in your maildir! Do not run this unless you actually intend to recover mail + files from a backup. + +!!! note "If you use SELinux in Enforcing mode" + If you are using mailcow on a host with SELinux in Enforcing mode you will have to temporarily disable it during + extraction of the archive as the mailcow setup labels the vmail volume as private, belonging to the dovecot container + exclusively. SELinux will (rightfully) prevent any other container, such as the borgmatic container, from writing to + this volume. + +Before running a restore you must make the vmail volume writeable in `docker-compose.override.yml` by removing +the `ro` flag from the volume. +Then you can use the following command to restore the maildir from a backup: + +```shell +docker-compose exec borgmatic-mailcow borgmatic extract --path mnt/source --archive latest +``` + +Alternatively you can specify any archive name from the list of archives (see +[Listing all available archives](#listing-all-available-archives)) + +### Restore MySQL + +!!! warning + Running this command will delete and recreate the mailcow database! Do not run this unless you actually + intend to recover the mailcow database from a backup. + +To restore the MySQL database from the latest archive use this command: + +```shell +docker-compose exec borgmatic-mailcow borgmatic restore --archive latest +``` + +Alternatively you can specify any archive name from the list of archives (see +[Listing all available archives](#listing-all-available-archives)) + +### After restoring + +After restoring you need to restart mailcow. If you disabled SELinux enforcing mode now would be a good time to +re-enable it. + +To restart mailcow use the follwing command: + +```shell +docker-compose down && docker-compose up -d +``` + +If you use SELinux this will also trigger the re-labeling of all files in your vmail volume. Be patient, as this may +take a while if you have lots of files. + +## Useful commands + +### Manual archiving run (with debugging output) + +```shell +docker-compose exec borgmatic-mailcow borgmatic -v 2 +``` + +### Listing all available archives + +```shell +docker-compose exec borgmatic-mailcow borgmatic list +``` + +### Break lock + +When borg is interrupted during an archiving run it will leave behind a stale lock that needs to be cleared before any +new operations can be performed: + +```shell +docker-compose exec borgmatic-mailcow borg break-lock user@rsync.net:mailcow +``` + +Where `user@rsync.net:mailcow` is the URI to your repository. + +Now would be a good time to do a manual archiving run to ensure it can be successfully performed. + +### Exporting keys + +When using any of the `keyfile` methods for encryption you **MUST** take care of backing up the key files yourself. The +key files are generated when you initialize the repository. The `repokey` methods store the key file within the +repository, so a manual backup isn't as essential. + +Note that in either case you also must have the passphrase to decrypt any archives. + +To fetch the keyfile run: + +```shell +docker-compose exec borgmatic-mailcow borg key export --paper user@rsync.net:mailcow +``` + +Where `user@rsync.net:mailcow` is the URI to your repository. \ No newline at end of file diff --git a/mkdocs.yml b/mkdocs.yml index 328ea89d4..5ec91ef3e 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -121,6 +121,7 @@ nav: - 'Windows Phone': 'client/client-windowsphone.md' - 'Manual configuration': 'client/client-manual.md' - 'Third party apps': + - 'Borgmatic Backup': 'third_party-borgmatic.md' - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' - 'Gogs': 'third_party-gogs.md' From d1e8fbc470770d768868238cd2d07ca426d0d3c1 Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 19 Apr 2021 14:36:17 +0200 Subject: [PATCH 094/288] Add nrows history limit to Rspamd docs --- docs/u_e-rspamd.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docs/u_e-rspamd.md b/docs/u_e-rspamd.md index bdc4fa461..a3f15b2cb 100644 --- a/docs/u_e-rspamd.md +++ b/docs/u_e-rspamd.md @@ -224,3 +224,19 @@ redis-cli -h redis DEL Q_LAST_NOTIFIED quarantine_notify.py ``` +## Increase history retention + +By default Rspamd keeps 1000 elements in the history. + +The history is stored compressed. + +It is recommended not to use a disproportionate high value here, try something along 5000 or 10000 and see how your server handles it: + +Edit `data/conf/rspamd/local.d/history_redis.conf`: + +``` +nrows = 1000; # change this value +``` + +Restart Rspamd afterwards: `docker-compose restart rspamd-mailcow` + From 0ae7ecf9add73693b3592bd1e31904c31216dc87 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 20 Apr 2021 21:28:50 +0200 Subject: [PATCH 095/288] Create gh-pages.yml --- .github/gh-pages.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/gh-pages.yml diff --git a/.github/gh-pages.yml b/.github/gh-pages.yml new file mode 100644 index 000000000..f79edb87f --- /dev/null +++ b/.github/gh-pages.yml @@ -0,0 +1,21 @@ +name: Build and deploy to gh-pages +on: [push] +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout 📥 + uses: actions/checkout@v2.3.4 + + - name: Install and Build 🔧 + run: | + sudo apt-get -y update + sudo apt-get -y install python3-pip + pip install mkdocs-material pygments mkdocs-redirects + mkdocs build --verbose --clean + + - name: Deploy 🚀 + uses: JamesIves/github-pages-deploy-action@4.1.1 + with: + branch: gh-pages # The branch the action should deploy to. + folder: . # The folder the action should deploy. From f1c6bcb11bdb68fb641be18d0e5561278e5c97f7 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:34:11 +0200 Subject: [PATCH 096/288] Add workflows folder --- .github/{ => workflows}/gh-pages.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .github/{ => workflows}/gh-pages.yml (100%) diff --git a/.github/gh-pages.yml b/.github/workflows/gh-pages.yml similarity index 100% rename from .github/gh-pages.yml rename to .github/workflows/gh-pages.yml From 26ace065fa53575cd4e3f0db4674f2b6c40c8ef7 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:37:51 +0200 Subject: [PATCH 097/288] Bump Pygments to 2.8.1 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f79edb87f..e39419cf3 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -11,7 +11,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments mkdocs-redirects + pip install mkdocs-material pygments==2.8.1 mkdocs-redirects mkdocs build --verbose --clean - name: Deploy 🚀 From fa82d9a6deb1cb544e9863fb10acafa481ec2fac Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:43:59 +0200 Subject: [PATCH 098/288] Separate installing dependencies and build site --- .github/workflows/gh-pages.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index e39419cf3..9451c2130 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -7,15 +7,18 @@ jobs: - name: Checkout 📥 uses: actions/checkout@v2.3.4 - - name: Install and Build 🔧 + - name: Install dependencies 🐄 run: | sudo apt-get -y update sudo apt-get -y install python3-pip pip install mkdocs-material pygments==2.8.1 mkdocs-redirects - mkdocs build --verbose --clean + + - name: Build site 🔧 + run: | + mkdocs build --verbose --clean - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@4.1.1 with: branch: gh-pages # The branch the action should deploy to. - folder: . # The folder the action should deploy. + folder: docs # The folder the action should deploy. From bdfdaa01cb4fa17ea9759077d542062d14b24761 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:45:07 +0200 Subject: [PATCH 099/288] tabs are bad --- .github/workflows/gh-pages.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 9451c2130..bd8ef6850 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,8 +14,8 @@ jobs: pip install mkdocs-material pygments==2.8.1 mkdocs-redirects - name: Build site 🔧 - run: | - mkdocs build --verbose --clean + run: | + mkdocs build --verbose --clean - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@4.1.1 From d9f26ce1a4a6d9ff1b5bc1147bd5a3788b6e4e2e Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 21:51:22 +0200 Subject: [PATCH 100/288] Use site as folder --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index bd8ef6850..075c81c07 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,4 +21,4 @@ jobs: uses: JamesIves/github-pages-deploy-action@4.1.1 with: branch: gh-pages # The branch the action should deploy to. - folder: docs # The folder the action should deploy. + folder: site # The folder the action should deploy. From bf1996b97fe03ee3194d1edacf737eebd6d6cbbe Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 22:01:09 +0200 Subject: [PATCH 101/288] delete travis.yml --- .travis.yml | 14 -------------- 1 file changed, 14 deletions(-) delete mode 100644 .travis.yml diff --git a/.travis.yml b/.travis.yml deleted file mode 100644 index 78cdde8a9..000000000 --- a/.travis.yml +++ /dev/null @@ -1,14 +0,0 @@ -language: python -install: -- pip install mkdocs-material pygments mkdocs-redirects -script: -- mkdocs build --verbose --clean -deploy: - provider: pages - skip_cleanup: true - github_token: $GITHUB_TOKEN - local_dir: site - name: $BOT_NAME - email: $BOT_EMAIL - on: - branch: master From 77a8a09c196959294cd4d25030d5e953ece79554 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Tue, 20 Apr 2021 22:01:23 +0200 Subject: [PATCH 102/288] Replace build badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48fe30ca6..f814a2400 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -![TRAVIS-CI](https://api.travis-ci.org/mailcow/mailcow-dockerized-docs.svg?branch=master) +[![Build and deploy to gh-pages](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml/badge.svg)](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml) # mailcow: dockerized documentation From 7c0a5cd45ab44fd65d0bc1b74d170e4b72721cd6 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 20 Apr 2021 22:50:38 +0200 Subject: [PATCH 103/288] Trigger workflow only on master --- .github/workflows/gh-pages.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 075c81c07..0f822da69 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -1,5 +1,8 @@ name: Build and deploy to gh-pages -on: [push] +on: + push: + branches: + - master jobs: build-and-deploy: runs-on: ubuntu-latest From b53e4ca9f7ca0e866bf22dc391193bed27ff4aae Mon Sep 17 00:00:00 2001 From: Sven Gottwald <2502366+svengo@users.noreply.github.com> Date: Wed, 21 Apr 2021 19:17:14 +0200 Subject: [PATCH 104/288] Update b_n_r_backup.md Add example for using backup_and_restore.sh in a cronjob --- docs/b_n_r_backup.md | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index afc932563..55abdee92 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -1,5 +1,5 @@ ### Backup - +#### backup_and_restore.sh You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. Please do not copy this script to another location. @@ -30,3 +30,34 @@ To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variab ``` MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all ``` + +#### Cronjob +You can call the backupscript regularly using a cronjob. Normally cron informs you about the result of each backup operation by e-mail. If you want cron to create an email only in case of an error, you can use the following snippet in `/etc/cron.daily/mailcow-backup` for example. If necessary the paths must be modified. + +``` +#!/bin/sh + +# Backup mailcow data +# https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/ + +set -e + +OUT="$(mktemp)" +export MAILCOW_BACKUP_LOCATION="/opt/backup" +SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" +PARAMETERS="backup all" +OPTIONS="--delete-days 30" + +# run command +set +e +"${SCRIPT}" ${PARAMETERS} ${OPTIONS} 2>&1 > "$OUT" +RESULT=$? + +if [ $RESULT -ne 0 ] + then + echo "${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:" + echo "RESULT=$RESULT" + echo "STDOUT / STDERR:" + cat "$OUT" +fi +``` From 53edcfb06a3d70a0124d6ff08d050079030e4c33 Mon Sep 17 00:00:00 2001 From: drohhyn Date: Sat, 24 Apr 2021 09:40:26 +0200 Subject: [PATCH 105/288] Update u_e-xmpp-faq.md Info about open ports with ideling XMPP added. --- docs/u_e-xmpp-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index 277fa4818..ee6f3c7a4 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -6,7 +6,7 @@ Please find the most frequently asked questions with their corresponding configu No, there is not. But you don't need one either. -The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started. +The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started (but open unconnected ports). As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. From d640dbe345826d7ae7f14866d0754c0391e3a443 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 26 Apr 2021 13:20:40 +0200 Subject: [PATCH 106/288] Update u_e-webmail-site.md --- docs/u_e-webmail-site.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-webmail-site.md b/docs/u_e-webmail-site.md index 31c9e1e65..f04de862f 100644 --- a/docs/u_e-webmail-site.md +++ b/docs/u_e-webmail-site.md @@ -14,7 +14,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name webmail.example.org; - + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; default_type "text/plain"; From a97522545b66595b7d0eef311fa57b64919eab7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 26 Apr 2021 13:21:07 +0200 Subject: [PATCH 107/288] Update u_e-nginx.md --- docs/u_e-nginx.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index efeace445..9743b6e55 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -16,6 +16,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name mysite.example.org; + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; @@ -40,6 +41,7 @@ server { include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name example.domain.tld; + server_tokens off; location ^~ /.well-known/acme-challenge/ { allow all; From 6f6842f49cf7981b0869cd16472564cc8f6b521f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 28 Apr 2021 20:55:44 +0200 Subject: [PATCH 108/288] Update firststeps-rp.md --- docs/firststeps-rp.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index 1e1d00050..d33d03a0b 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -15,6 +15,11 @@ This will also change the bindings inside the Nginx container! This is important Recreate affected containers by running `docker-compose up -d`. +**Important information, please read them carefully!** + +!!! info + If you plan to use a reverse proxy and want to use another server name that is **not** MAILCOW_HOSTNAME, you need to read **Adding additional server names for mailcow UI** at the bottom of this page. + !!! warning Make sure you run `generate_config.sh` before you enable any site configuration examples below. The script `generate_config.sh` copies snake-oil certificates to the correct location, so the services will not fail to start due to missing files. From c4744d11480003a92fdfea12e79129affe6288c7 Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 28 Apr 2021 21:32:33 +0200 Subject: [PATCH 109/288] Update debug-reset_pw.md --- docs/debug-reset_pw.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index 3f14e8687..149d73124 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -77,9 +77,17 @@ MariaDB [(none)]> FLUSH PRIVILEGES; ## Remove Two-Factor Authentication +### For mailcow WebUI: + This works similar to resetting a MySQL password, now we do it from the host without connecting to the MySQL CLI: ``` source mailcow.conf docker-compose exec mysql-mailcow mysql -u${DBUSER} -p${DBPASS} ${DBNAME} -e "DELETE FROM tfa WHERE username='YOUR_USERNAME';" ``` + +### For SOGo: + +``` +docker-compose exec -u sogo sogo-mailcow sogo-tool user-preferences set defaults user@example.com SOGoGoogleAuthenticatorEnabled '{"SOGoGoogleAuthenticatorEnabled":0}' +``` From d1c4536d01c10feb4a90cccc3b0e0f49efaa5ba2 Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 28 Apr 2021 22:37:30 +0200 Subject: [PATCH 110/288] Remove old file --- docs/u_e-change_config.md | 68 --------------------------------------- mkdocs.yml | 1 - 2 files changed, 69 deletions(-) delete mode 100644 docs/u_e-change_config.md diff --git a/docs/u_e-change_config.md b/docs/u_e-change_config.md deleted file mode 100644 index 98b3cb391..000000000 --- a/docs/u_e-change_config.md +++ /dev/null @@ -1,68 +0,0 @@ -The most important configuration files are mounted from the host into the related containers: - -``` -data/conf -├── unbound -│   └── unbound.conf -├── dovecot -│   ├── dovecot.conf -│   ├── dovecot-master.passwd -│   ├── sieve_after -│   └── sql -│   ├── dovecot-dict-sql.conf -│   └── dovecot-mysql.conf -├── mysql -│   └── my.cnf -├── nginx -│   ├── dynmaps.conf -│   ├── site.conf -│   └── templates -│   ├── listen_plain.template -│   ├── listen_ssl.template -│   └── server_name.template -├── postfix -│   ├── main.cf -│   ├── master.cf -│   ├── postscreen_access.cidr -│   ├── smtp_dsn_filter -│   └── sql -│   ├── mysql_relay_recipient_maps.cf -│   ├── mysql_tls_enforce_in_policy.cf -│   ├── mysql_tls_enforce_out_policy.cf -│   ├── mysql_virtual_alias_domain_catchall_maps.cf -│   ├── mysql_virtual_alias_domain_maps.cf -│   ├── mysql_virtual_alias_maps.cf -│   ├── mysql_virtual_domains_maps.cf -│   ├── mysql_virtual_mailbox_maps.cf -│   ├── mysql_virtual_relay_domain_maps.cf -│   ├── mysql_virtual_sender_acl.cf -│   └── mysql_virtual_spamalias_maps.cf -├── rspamd -│   ├── dynmaps -│   │   ├── authoritative.php -│   │   ├── settings.php -│   │   ├── tags.php -│   │   └── vars.inc.php -> ../../../web/inc/vars.inc.php -│   ├── local.d -│   │   ├── dkim.conf -│   │   ├── metrics.conf -│   │   ├── options.inc -│   │   ├── redis.conf -│   │   ├── rspamd.conf.local -│   │   └── statistic.conf -│   ├── lua -│   │   └── rspamd.local.lua -│   └── override.d -│   ├── logging.inc -│   ├── worker-controller.inc -│   └── worker-normal.inc -└── sogo - ├── sieve.creds - └── sogo.conf - -``` - -Just change the according configuration file on the host and restart the related service: -``` -docker-compose restart service-mailcow -``` diff --git a/mkdocs.yml b/mkdocs.yml index 328ea89d4..87708e050 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -105,7 +105,6 @@ nav: - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Adjust Service Configurations': 'u_e-change_config.md' - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - 'Client Configuration': From 9945b6c370a510afd86f3e5b029b021ebb70a06b Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:18:40 +0200 Subject: [PATCH 111/288] move deinstall --- docs/{u_e-deinstall.md => i_u_m_deinstall.md} | 0 mkdocs.yml | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename docs/{u_e-deinstall.md => i_u_m_deinstall.md} (100%) diff --git a/docs/u_e-deinstall.md b/docs/i_u_m_deinstall.md similarity index 100% rename from docs/u_e-deinstall.md rename to docs/i_u_m_deinstall.md diff --git a/mkdocs.yml b/mkdocs.yml index 83960fc5e..ca5e5a1a0 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -28,6 +28,7 @@ nav: - 'Installation': 'i_u_m_install.md' - 'Update': 'i_u_m_update.md' - 'Migration': 'i_u_m_migration.md' + - 'Deinstallation': 'i_u_m_deinstall.md' - 'Post Installation Tasks': - 'Advanced SSL': 'firststeps-ssl.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' @@ -105,7 +106,6 @@ nav: - 'Why unbound?': 'u_e-why_unbound.md' - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Deinstall': 'u_e-deinstall.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' - 'Client Configuration': - 'Overview': 'client.md' From 45c7e6a87f59eeac5b2fccce0604e88903d2a620 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:32:42 +0200 Subject: [PATCH 112/288] reset tls certs --- docs/debug-reset-tls.md | 17 +++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 18 insertions(+) create mode 100644 docs/debug-reset-tls.md diff --git a/docs/debug-reset-tls.md b/docs/debug-reset-tls.md new file mode 100644 index 000000000..b2584e0f4 --- /dev/null +++ b/docs/debug-reset-tls.md @@ -0,0 +1,17 @@ +In case you encounter problems with your certificate, key or Let's Encrypt account, please try to reset the TLS assets: + +``` +source mailcow.conf +docker-compose down +rm -rf data/assets/ssl +mkdir data/assets/ssl +openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes +cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ +docker-compose up -d +``` + +This will stop mailcow, source the variables we need, create a self-signed certificate and start mailcow. + +If you use Let's Encrypt you should be careful as you will create a new account and a new set of certificates. You will run into a ratelimit sooner or later. + +Please also note that previous TLSA records will be invalid. diff --git a/mkdocs.yml b/mkdocs.yml index ca5e5a1a0..b24e15e41 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -54,6 +54,7 @@ nav: - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Reset TLS certificates'': 'debug-reset-tls.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' From a1c87cd2a47d7f0388eabb1b4be7c7336cfc8c31 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 29 Apr 2021 22:39:08 +0200 Subject: [PATCH 113/288] fix typo --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index b24e15e41..666fbc45d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -54,7 +54,7 @@ nav: - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - - 'Reset TLS certificates'': 'debug-reset-tls.md' + - 'Reset TLS certificates': 'debug-reset-tls.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' From 0e7adfdea04ad67c25232ccf4f41afda035280b5 Mon Sep 17 00:00:00 2001 From: Daniel Lo Nigro Date: Sun, 2 May 2021 16:13:15 -0700 Subject: [PATCH 114/288] Update `pip install` command in readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f814a2400..f9fe18d9e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material +pip install mkdocs-material pygments==2.8.1 mkdocs-redirects mkdocs serve -``` \ No newline at end of file +``` From 2cc7e092b3b76a6318931401b2c3b861564cbbf6 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 00:22:42 +1000 Subject: [PATCH 115/288] Provide better examples and more explaination Updated IP Ranges to correct documentation ranges Provided IPv6 Example Added warning about becoming an open relay --- docs/firststeps-trust_networks.md | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index e12dd9dfb..07886b51d 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,11 +1,30 @@ -Per default mailcow considers all networks as untrusted, except for its own IPV4_NETWORK and IPV6_NETWORK scope. Though it is reasonable in most cases, you may want to loosen this restriction under certain circumstances to allow connections from other networks. +## Default Unauthenticated Relaying +By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction +As default we use "mynetworks_style = subnet". -To change this behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +## Permitting unauthenticated relaying. -**Important**: Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` in your mailcow.conf. You should also keep local addresses. To add `1.2.3.4/32` it may look like the configuration below: +!!! Warning +Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. -``` -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 1.2.3.4/32 +!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. + +To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. + +### Permitting IPV4 hosts +To add `192.0.2.0/24` it may look like the configuration below: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 ``` -Per default we use "mynetworks_style = subnet" to only include local networks we are part of. +### Permitting IPv6 hosts + +The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: + +``` data/conf/postfix/extra.cf +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +``` + +!!! Info +Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") From d6512bdc6a9a35cb385d81e37f91d6e77c0c02e5 Mon Sep 17 00:00:00 2001 From: Stephen Schwetz Date: Tue, 4 May 2021 01:00:20 +1000 Subject: [PATCH 116/288] Update prerequisite-dns.md quick tidy up --- docs/prerequisite-dns.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 0d198c428..c9a23e60b 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -86,7 +86,8 @@ Here are some tools you can use to verify your DNS configuration: ### Optional DMARC Statistics If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. -**NOTE:** It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +!!! Tip +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -96,18 +97,14 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Postmark](https://dmarc.postmarkapp.com) - [Dmarcian](https://dmarcian.com/) -**NOTE:** The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. +!!! Tip +The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email below and wait for a reply: - -check-auth@verifier.port25.com - -You will get a report back that looks like the following: +To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: ``` - ========================================================== Summary of Results ========================================================== From be0fac6d00d63fd303014c6c5ec5cf4216213f1f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Mon, 3 May 2021 18:20:50 +0200 Subject: [PATCH 117/288] Update pygments to 2.9.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 0f822da69..e924c2c3b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments==2.8.1 mkdocs-redirects + pip install mkdocs-material pygments==2.9.0 mkdocs-redirects - name: Build site 🔧 run: | diff --git a/README.md b/README.md index f9fe18d9e..bbc5b1471 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material pygments==2.8.1 mkdocs-redirects +pip install mkdocs-material pygments==2.9.0 mkdocs-redirects mkdocs serve ``` From 9585becdd3aa0fbe991a021b1786aeecf2be022d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:14 +0200 Subject: [PATCH 118/288] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 07886b51d..a1576cc13 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -20,7 +20,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 ### Permitting IPv6 hosts -The addition of ipv6 hosts is done the same as ipv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:DB8::/32 to be allowed to relay we would use the following configuration: +The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 From 860c6f783d9af9d2ec8d2f3bdd23d96baa66f60f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:33:29 +0200 Subject: [PATCH 119/288] Update docs/firststeps-trust_networks.md Co-authored-by: Peter --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index a1576cc13..ba43d7cac 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -12,7 +12,7 @@ Incorrect setup of mynetworks will allow your server to be used as an open relay To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. ### Permitting IPV4 hosts -To add `192.0.2.0/24` it may look like the configuration below: +To add `192.168.2.0/24` it may look like the configuration below: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 From e4e868436c93600205f160a7670e712dd0a7911a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:07 +0200 Subject: [PATCH 120/288] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index c9a23e60b..714bef480 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -87,7 +87,7 @@ Here are some tools you can use to verify your DNS configuration: If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for recieving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. From 77bad7d6c2d288588bd6e77d3df1cac4e5b86c96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 3 May 2021 21:34:23 +0200 Subject: [PATCH 121/288] Update docs/prerequisite-dns.md Co-authored-by: Peter --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index 714bef480..ee574290c 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -102,7 +102,7 @@ The services may provide you with a TXT record, which you would insert into your ### Email Test for SPF, DKIM and DMARC: -To test send an email to the email check-auth@verifier.port25.com and wait for a reply. You will get a report back that looks like the following: +To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: ``` ========================================================== From 832b7ccfe2fe777a3eeb47826050fd0b0a23e3f9 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 3 May 2021 22:55:26 +0200 Subject: [PATCH 122/288] Update docs/firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index ba43d7cac..18fdff11a 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -23,7 +23,7 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: ``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:DB8::]/32 +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` !!! Info From 093f786b3ee59aaf19e350881b855f6d547a3e20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:04:03 +0200 Subject: [PATCH 123/288] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 35 ++++++++++++++++++------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 18fdff11a..801371e14 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -1,30 +1,37 @@ -## Default Unauthenticated Relaying -By default mailcow considers all networks as untrusted, excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction -As default we use "mynetworks_style = subnet". +By default mailcow considers **all networks as untrusted** excluding its own IPV4_NETWORK and IPV6_NETWORK scopes. Though it is reasonable in most cases, there may be circumstances that you need to loosen this restriction. -## Permitting unauthenticated relaying. +By default mailcow uses `mynetworks_style = subnet` to determine internal subnets and leaves `mynetworks` unconfigured. + +If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. This means you **have to** add the IPV4_NETWORK and IPV6_NETWORK scopes as well as loopback subnets manually! + +## Unauthenticated relaying !!! Warning -Incorrect setup of mynetworks will allow your server to be used as an open relay to send unsolicitated bulk email. This **will** affect your ability to send emails to other mail servers, and can take some time to be reversed. If you don't know what this is for, than you do not need it. +Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. -!!! Note Do **not** remove the networks listed as `IPV4_NETWORK` and `IPV6_NETWORK` from your mailcow.conf, or the loopback ranges 127.0.0.0/8, [::ffff:127.0.0.0]/104, and [::1]. +### IPv4 hosts/subnets -To change the my behaviour override the default value of `mynetworks` parameter through the `data/conf/postfix/extra.cf` configuration file. +To add the subnet `192.168.2.0/24` to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: -### Permitting IPV4 hosts -To add `192.168.2.0/24` it may look like the configuration below: +Edit `data/conf/postfix/extra.cf`: -``` data/conf/postfix/extra.cf -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.0.2.0/24 +``` +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 192.168.2.0/24 ``` -### Permitting IPv6 hosts +Run `docker-compose restart postfix-mailcow` to apply your new settings. -The addition of IPv6 hosts is done the same as IPv4, however the subnet needs to be placed between [ ] with the netmask appearing after it. To add 2001:db8::/32 to be allowed to relay we would use the following configuration: +### IPv6 hosts/subnets + +Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be placed in brackets `[]` with the netmask appended. + +To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: ``` data/conf/postfix/extra.cf mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` +Run `docker-compose restart postfix-mailcow` to apply your new settings. + !!! Info -Further Information on Postfix's mynetwork can be located [here](http://www.postfix.org/postconf.5.html#mynetworks "Postfix's mynetworks") +More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From 045ab389e8f86941f67558fa453020a6b849a923 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 12:36:07 +0200 Subject: [PATCH 124/288] Update prerequisite-dns.md --- docs/prerequisite-dns.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index ee574290c..e5e7427cd 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -84,10 +84,11 @@ Here are some tools you can use to verify your DNS configuration: ## Misc ### Optional DMARC Statistics -If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services, or self-host your own. + +If you are interested in statistics, you can additionally register with some of the many below DMARC statistic services - or self-host your own. !!! Tip -It is worth considering that if you request DMARC statistic reports to your mailcow server, if there are issues with that domain you may not get accurate results. You can consider using an alternative email domain for receiving DMARC reports. +It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. @@ -98,11 +99,12 @@ It is worth mentioning, that the following suggestions are not a comprehensive l - [Dmarcian](https://dmarcian.com/) !!! Tip -The services may provide you with a TXT record, which you would insert into your DNS records as the provider specifies. This record will give you details about spam-classified mails by your domain. However, please ensure to read the providers documentation from the service you choose, as this process may vary and not all providers may use a TXT record. -### Email Test for SPF, DKIM and DMARC: +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. -To test send an email to the email `check-auth at verifier.port25.com` and wait for a reply. You will get a report back that looks like the following: +### Email test for SPF, DKIM and DMARC: + +To run a rudimentary email authentication check, send a mail to `check-auth at verifier.port25.com` and wait for a reply. You will find a report similar to the following: ``` ========================================================== @@ -119,8 +121,10 @@ Details: ========================================================== .... ``` -The full report will contain more technical details this is just the first section, we found this to be quite usful for testing both outgoing mail and spam scores. + +The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) + [^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. From ac2de9f82a02010feeaee127edc6b4bda0212190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 13:13:58 +0200 Subject: [PATCH 125/288] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 55abdee92..cc66f79b2 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -32,7 +32,15 @@ MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backu ``` #### Cronjob -You can call the backupscript regularly using a cronjob. Normally cron informs you about the result of each backup operation by e-mail. If you want cron to create an email only in case of an error, you can use the following snippet in `/etc/cron.daily/mailcow-backup` for example. If necessary the paths must be modified. + +You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: + +```5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` + +Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). + +This following script may be placed in `/etc/cron.daily/mailcow-backup` - do not forget to mark it as executable via `chmod +x`: ``` #!/bin/sh From 41f08f7b21a885552f65dbeced00b9086389d002 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 4 May 2021 13:14:39 +0200 Subject: [PATCH 126/288] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index cc66f79b2..9fb976e58 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -1,5 +1,7 @@ ### Backup -#### backup_and_restore.sh + +#### Manual + You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. Please do not copy this script to another location. From d15912a28fa59acca0bc611696e06d0e1d03d579 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:28:57 +0200 Subject: [PATCH 127/288] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 801371e14..1e8c34eb7 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -7,7 +7,7 @@ If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. ## Unauthenticated relaying !!! Warning -Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. + Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. ### IPv4 hosts/subnets @@ -34,4 +34,4 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 Run `docker-compose restart postfix-mailcow` to apply your new settings. !!! Info -More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). + More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From 07a3e13d8820fbf1d92ff073ae1783bd4b993fd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:29:32 +0200 Subject: [PATCH 128/288] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 1e8c34eb7..5d65083af 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -27,7 +27,9 @@ Adding IPv6 hosts is done the same as IPv4, however the subnet needs to be place To add the subnet 2001:db8::/32 to the trusted networks you may use the following configuration, depending on your IPV4_NETWORK and IPV6_NETWORK scopes: -``` data/conf/postfix/extra.cf +Edit `data/conf/postfix/extra.cf`: + +``` mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0/24 [fd4d:6169:6c63:6f77::]/64 [2001:db8::]/32 ``` From 3725c094a70534a7e6eb6830be53234fcfd14b3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 17:31:56 +0200 Subject: [PATCH 129/288] Update firststeps-trust_networks.md --- docs/firststeps-trust_networks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/firststeps-trust_networks.md b/docs/firststeps-trust_networks.md index 5d65083af..aea044b9e 100644 --- a/docs/firststeps-trust_networks.md +++ b/docs/firststeps-trust_networks.md @@ -7,7 +7,7 @@ If you decide to set `mynetworks`, Postfix ignores the mynetworks_style setting. ## Unauthenticated relaying !!! Warning - Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. + Incorrect setup of `mynetworks` will allow your server to be used as an open relay. If abused, this **will** affect your ability to send emails and can take some time to be resolved. ### IPv4 hosts/subnets @@ -36,4 +36,4 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 [fe80::]/10 172.22.1.0 Run `docker-compose restart postfix-mailcow` to apply your new settings. !!! Info - More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). + More information about mynetworks can be found in the [Postfix documentation](http://www.postfix.org/postconf.5.html#mynetworks). From ecc7eb24280bbe5b2b78bfad94792554607e339d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 5 May 2021 22:57:42 +0200 Subject: [PATCH 130/288] Update u_e-nginx.md --- docs/u_e-nginx.md | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 9743b6e55..9581dd9b6 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -6,10 +6,17 @@ nano data/conf/nginx/my_custom_site.conf A good template to begin with: -``` hl_lines="9" +``` hl_lines="16" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; @@ -31,10 +38,17 @@ server { Another example with a reverse proxy configuration: -``` hl_lines="9 21" +``` hl_lines="16 28" server { ssl_certificate /etc/ssl/mail/cert.pem; ssl_certificate_key /etc/ssl/mail/key.pem; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305; + ssl_ecdh_curve X25519:X448:secp384r1:secp256k1; + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; index index.php index.html; client_max_body_size 0; root /web; From 5172d22b88d3e96e509d1e59d09d863518b15e24 Mon Sep 17 00:00:00 2001 From: xBytez Date: Wed, 5 May 2021 22:59:08 +0200 Subject: [PATCH 131/288] Fix cronjob formatting --- docs/b_n_r_backup.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 9fb976e58..271a7b94e 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -37,7 +37,8 @@ MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backu You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: -```5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` +5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 ``` Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). From 04cfc3dc2a592fc415e24eb3f3400d4110ef6c70 Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Thu, 6 May 2021 22:45:28 +0200 Subject: [PATCH 132/288] Switch client information from cookies to session storage --- docs/clients.js | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/docs/clients.js b/docs/clients.js index cc6cf1257..78b4365f5 100644 --- a/docs/clients.js +++ b/docs/clients.js @@ -1,7 +1,7 @@ if (window.location.href.indexOf('/client/') >= 0) { window.window.addEventListener('load', function () { function setCookie(name, value) { - document.cookie = encodeURIComponent(name) + "=" + encodeURIComponent(value) + "; path=/"; + sessionStorage.setItem(name, value); } function getParameterByName(name) { @@ -39,18 +39,7 @@ if (window.location.href.indexOf('/client/') >= 0) { if (window.location.href.indexOf('/client') >= 0) { window.window.addEventListener('load', function () { function getCookie(cn) { - var fixedcn = encodeURIComponent(cn); - var cs = document.cookie.split(';'); - for (var i = 0; i < cs.length; i++) { - var c = cs[i]; - while (c.charAt(0) == ' ') { - c = c.substring(1); - } - if (c.indexOf(fixedcn + "=") == 0) { - return decodeURIComponent(c.substring(cn.length + 1, c.length)); - } - } - return ""; + return sessionStorage.getItem(cn); } /* Hide variable fields if no values are available */ From dddc905a031203c736924dc7d5e6c3164e14b285 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 7 May 2021 18:17:59 +0200 Subject: [PATCH 133/288] Update mkdocs-material to 7.1.4 and pin modules to tagged releases --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index e924c2c3b..d704c127e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material pygments==2.9.0 mkdocs-redirects + pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index bbc5b1471..a9d1b166c 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material pygments==2.9.0 mkdocs-redirects +pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From e4248056689a5646cd0354b7673f40cd5b7ff033 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Mon, 10 May 2021 18:46:41 +0200 Subject: [PATCH 134/288] [GH-Actions] Update github-pages-deploy-action to 4.1.2 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index d704c127e..058df2a12 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.1 + uses: JamesIves/github-pages-deploy-action@4.1.2 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 2718f0490e3b47bb0ee92f20bf861834cff28bac Mon Sep 17 00:00:00 2001 From: Marc Leuser Date: Fri, 14 May 2021 09:28:46 +0200 Subject: [PATCH 135/288] fix a small typo in the xmpp FAQ --- docs/u_e-xmpp-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md index ee6f3c7a4..eef2d45b3 100644 --- a/docs/u_e-xmpp-faq.md +++ b/docs/u_e-xmpp-faq.md @@ -68,7 +68,7 @@ No, they will vanish: - **How many client sessions can be open at the same time?** -10 sessions are allowed per session. +10 sessions are allowed per user. ``` shaper_rules: From 4f1862ed951004984d5be618d29c50a93b5e4da2 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 23 May 2021 22:52:28 +0200 Subject: [PATCH 136/288] [GH-Actions] Update github-pages-deploy-action to 4.1.3 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 058df2a12..391b26026 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.2 + uses: JamesIves/github-pages-deploy-action@4.1.3 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 0dd67c47c7044a213b47dc2af404ae3fab331e7d Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 23 May 2021 22:53:17 +0200 Subject: [PATCH 137/288] Update mkdocs-material to 7.1.5 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 391b26026..6043970d4 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index a9d1b166c..128e342eb 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.4 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 2c91c41695bfa469c925262bf6a194165dcda53c Mon Sep 17 00:00:00 2001 From: Jan Kiesewetter <3628035+t3easy@users.noreply.github.com> Date: Tue, 25 May 2021 08:50:46 +0200 Subject: [PATCH 138/288] Update Traefik example - Define code block as Yaml - Use env HTTP_PORT to get the port Trafik should use - Use the default example `websecure` entrypoint like in Traefik examples --- docs/firststeps-rp.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index d33d03a0b..4b4b0a06d 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -185,7 +185,7 @@ For this we'll have to set `SKIP_LETS_ENCRYPT=y` on our `mailcow.conf`, and run Then we'll create a `docker-compose.override.yml` file in order to override the main `docker-compose.yml` found in your mailcow root folder. -``` +```yaml version: '2.1' services: @@ -204,10 +204,10 @@ services: - traefik.http.routers.moo.tls.certresolver=le # Creates a service called "moo" for the container, and specifies which internal port of the container # should traefik route the incoming data to. - - traefik.http.services.moo.loadbalancer.server.port=80 + - traefik.http.services.moo.loadbalancer.server.port=${HTTP_PORT} # Specifies which entrypoint (external port) should traefik listen to, for this container. # websecure being port 443, check the traefik.toml file liked above. - - traefik.http.routers.moo.entrypoints=secure + - traefik.http.routers.moo.entrypoints=websecure # Make sure traefik uses the web network, not the mailcowdockerized_mailcow-network - traefik.docker.network=web From 40cf3267b483b91c3c2f9c42b9c77582778a36ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 26 May 2021 15:26:59 +0200 Subject: [PATCH 139/288] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index dd2a99b18..bde36cfb8 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -2,9 +2,9 @@ Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.9/roundcubemail-1.4.9-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.9 rc +mv roundcubemail-1.4.11 rc # Change permissions chown -R root: rc/ ``` From 04be45b253f2bddddfe0eb4ac4ce4051bb45c92f Mon Sep 17 00:00:00 2001 From: andryyy Date: Fri, 28 May 2021 11:11:32 +0200 Subject: [PATCH 140/288] custom css --- docs/u_e-mailcow_ui-css.md | 3 +++ mkdocs.yml | 1 + 2 files changed, 4 insertions(+) create mode 100644 docs/u_e-mailcow_ui-css.md diff --git a/docs/u_e-mailcow_ui-css.md b/docs/u_e-mailcow_ui-css.md new file mode 100644 index 000000000..77a23f5bb --- /dev/null +++ b/docs/u_e-mailcow_ui-css.md @@ -0,0 +1,3 @@ +For custom overrides of specific elements via CSS, use `data/web/css/build/0081-custom-mailcow.css`. + +The file is excluded from tracking and persists over updates. diff --git a/mkdocs.yml b/mkdocs.yml index 666fbc45d..65a3b113a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,6 +65,7 @@ nav: - 'Manual/Guides/Examples': - 'mailcow UI': - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'CSS overrides': 'u_e-mailcow_ui-css.md' - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - 'Pushover': 'u_e-mailcow_ui-pushover.md' - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' From 4a47fb6e34922aa71a0adf6e23fc3d8466ea6c6a Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 30 May 2021 17:37:15 +0200 Subject: [PATCH 141/288] Update mkdocs-material to 7.1.6 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 6043970d4..eb09a5867 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 128e342eb..df9faf0dc 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.5 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8c3102945a8a66f8c5e88b20e3a4ebc846e2d7e4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Tue, 1 Jun 2021 12:12:37 +0200 Subject: [PATCH 142/288] Update firststeps-logging.md --- docs/firststeps-logging.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-logging.md b/docs/firststeps-logging.md index 2f12c33fb..56f8d0b7a 100644 --- a/docs/firststeps-logging.md +++ b/docs/firststeps-logging.md @@ -39,7 +39,7 @@ services: logging: driver: "gelf" options: - gelf-address: "udp://graylog:12201" + gelf-address: "udp://graylog:12201" ``` Another example for **Syslog**: From 4e8c17d5439d46a3ad627d08a9363724a8ea2df4 Mon Sep 17 00:00:00 2001 From: Maximilian Leith Date: Fri, 4 Jun 2021 10:54:47 +0200 Subject: [PATCH 143/288] updated browsers that support U2F --- docs/u_e-mailcow_ui-tfa.md | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 4e694e071..9a0ce1da6 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -1,10 +1,10 @@ -So far three methods for *Two-Factor Authentication* are implemented: U2F, Yubi OTP, and TOTP +So far three methods for _Two-Factor Authentication_ are implemented: U2F, Yubi OTP, and TOTP -- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. -- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). -- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. -- U2F and Yubi OTP support multiple keys per user. -- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. +- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. +- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). +- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- U2F and Yubi OTP support multiple keys per user. +- As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. @@ -19,6 +19,23 @@ The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are ### U2F +To use U2F, the browser must support this standard. + +The following desktop browsers support this authentication type: + +- Edge (>=79) +- Firefox (>=47, enabled by default since version 67) +- Chrome (>=41) +- Safari (>=13) +- Opera (40, >=42, not 41) + +The following mobile browsers support this authentication type: + +- Safari on iOS (>=13.3) +- Firefox on Android (>=68) + +Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/) + Only Google Chrome (+derivatives) and Opera support U2F authentication to this day natively. Since version 67 Mozilla Firefox can handle U2F natively. ([Source](https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox)) From 24fb085b6bf3b3a20a6d69487e847ede5ce6fee2 Mon Sep 17 00:00:00 2001 From: Maximilian Leith Date: Fri, 4 Jun 2021 10:57:59 +0200 Subject: [PATCH 144/288] removed old parts of the U2F section --- docs/u_e-mailcow_ui-tfa.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 9a0ce1da6..58e25c61f 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -36,9 +36,6 @@ The following mobile browsers support this authentication type: Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/) -Only Google Chrome (+derivatives) and Opera support U2F authentication to this day natively. -Since version 67 Mozilla Firefox can handle U2F natively. ([Source](https://support.yubico.com/support/solutions/articles/15000017511-enabling-u2f-support-in-mozilla-firefox)) - U2F works without an internet connection. ### TOTP From 61aee88b41a81edc6b79c989640a9373f29789fd Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 5 Jun 2021 19:43:34 +0200 Subject: [PATCH 145/288] [GH-Actions][pages] Update github-pages-deploy-action to 4.1.4 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index eb09a5867..9aaf95413 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.3 + uses: JamesIves/github-pages-deploy-action@4.1.4 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 6892e0a1f75ee112b86f6527ffd606e1c78a5d36 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sun, 6 Jun 2021 16:13:30 +0200 Subject: [PATCH 146/288] [GH-Actions][pages] Update mkdocs-material to 7.1.7 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 9aaf95413..cdf77fc0e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index df9faf0dc..6befcbeb1 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.6 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 173f6890722f236e3e1cf7aa050a12277d6416ad Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 12 Jun 2021 21:20:12 +0200 Subject: [PATCH 147/288] [GH-Actions][pages] Update mkdocs-material to 7.1.8 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index cdf77fc0e..f6ecefd96 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 6befcbeb1..001361d7b 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.7 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From d3a5778d69a6cbc289907185b3b6422a010af365 Mon Sep 17 00:00:00 2001 From: Daniel Lo Nigro Date: Sun, 13 Jun 2021 16:52:17 -0700 Subject: [PATCH 148/288] Small tweaks to prerequisite-dns.md --- docs/prerequisite-dns.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index e5e7427cd..f5886e69c 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -90,7 +90,7 @@ If you are interested in statistics, you can additionally register with some of !!! Tip It is worth considering that if you request DMARC statistic reports to your mailcow server and your mailcow server is not configured correctly to receive these reports, you may not get accurate and complete results. Please consider using an alternative email domain for receiving DMARC reports. -It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools avaialble, but only a small few of the many choices. +It is worth mentioning, that the following suggestions are not a comprehensive list of all services and tools available, but only a small few of the many choices. - [Postmaster Tool](https://gmail.com/postmaster) - [parsedmarc](https://github.com/domainaware/parsedmarc) (self-hosted) @@ -100,7 +100,7 @@ It is worth mentioning, that the following suggestions are not a comprehensive l !!! Tip -These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure to read the providers documentation from the service you choose as this process may vary. +These services may provide you with a TXT record you need to insert into your DNS records as the provider specifies. Please ensure you read the provider's documentation from the service you choose as this process may vary. ### Email test for SPF, DKIM and DMARC: @@ -127,4 +127,4 @@ The full report will contain more technical details. ### Fully Qualified Domain Name (FQDN) -[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname (myhost), the domain name (mydomain) and the top level domain in short **tld** (com). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the tld `email`. +[^1]: A **Fully Qualified Domain Name** (**FQDN**) is the complete (absolute) domain name for a specific computer or host, on the Internet. The FQDN consists of at least three parts divided by a dot: the hostname, the domain name, and the Top Level Domain (**TLD** for short). In the example of `mx.mailcow.email` the hostname would be `mx`, the domain name `mailcow` and the TLD `email`. From 835757a9319a5bbf564719dd6fff67a2e4d0e14b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 18 Jun 2021 11:01:15 +0200 Subject: [PATCH 149/288] Update i_u_m_install.md --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index ddb7d28f6..444cb558b 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -3,7 +3,7 @@ **We do not recommend** CentOS 8 anymore. -You need Docker and Docker Compose. +You need Docker (a version >= `20.10.2` is required) and Docker Compose. **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). From 932887c4e09a4863850cd6d0e11f7ce469c387a2 Mon Sep 17 00:00:00 2001 From: Marc Samendinger Date: Mon, 21 Jun 2021 20:55:52 +0200 Subject: [PATCH 150/288] Update link to Solr Solr has become a Apache Software Foundation Top Level Project (TLP) on 17 February 2021. This means it moved from being a sub of lucene http://lucene.apache.org/solr/ to a new website. See https://web.archive.org/web/20210424020503/https://solr.apache.org/news.html#apache-solr-becomes-an-apache-tlp --- docs/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/index.md b/docs/index.md index c54fb769d..ef76ed5ef 100644 --- a/docs/index.md +++ b/docs/index.md @@ -78,7 +78,7 @@ Each container represents a single application. - [Redis](https://redis.io/) - [Rspamd](https://www.rspamd.com/) - [SOGo](https://sogo.nu/) -- [Solr](http://lucene.apache.org/solr/) (optional) +- [Solr](https://solr.apache.org/) (optional) - [Unbound](https://unbound.net/) - A Watchdog to provide basic monitoring From dd03205eb6dbdb5093744ffba1dfeae93ac4df3f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Fri, 25 Jun 2021 18:03:21 +0200 Subject: [PATCH 151/288] [GH-Actions][pages] Update mkdocs-material to 7.1.9 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f6ecefd96..159e6f6f1 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 001361d7b..5ca3a161e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.8 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 6061ecc595182203d338872777600e8a3f005a54 Mon Sep 17 00:00:00 2001 From: Sascha Moser <28950736+xopez@users.noreply.github.com> Date: Mon, 28 Jun 2021 04:03:42 +0200 Subject: [PATCH 152/288] Normalize DNS to lowercase --- docs/prerequisite-dns.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-dns.md b/docs/prerequisite-dns.md index f5886e69c..c0659d55a 100644 --- a/docs/prerequisite-dns.md +++ b/docs/prerequisite-dns.md @@ -60,7 +60,7 @@ _dmarc IN TXT "v=DMARC1; p=reject; rua=mailto:mailauth-reports@ _autodiscover._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _caldavs._tcp IN TXT "path=/SOGo/dav/" -_carddavs._tcp IN SRV 0 1 443 Mail.example.org. (your ${MAILCOW_HOSTNAME}) +_carddavs._tcp IN SRV 0 1 443 mail.example.org. (your ${MAILCOW_HOSTNAME}) _carddavs._tcp IN TXT "path=/SOGo/dav/" _imap._tcp IN SRV 0 1 143 mail.example.org. (your ${MAILCOW_HOSTNAME}) _imaps._tcp IN SRV 0 1 993 mail.example.org. (your ${MAILCOW_HOSTNAME}) From bae054e799fcefab525fd98c4a5d8982ce38403f Mon Sep 17 00:00:00 2001 From: MAGIC Date: Wed, 30 Jun 2021 18:00:08 +0200 Subject: [PATCH 153/288] Remove mentions of XMPP --- docs/client/client-gajim_xmpp_client.md | 1 - docs/firststeps-rp.md | 10 +-- docs/index.md | 5 +- docs/prerequisite-system.md | 3 - docs/u_e-xmpp-enable.md | 98 ------------------------- docs/u_e-xmpp-faq.md | 76 ------------------- mkdocs.yml | 4 - 7 files changed, 4 insertions(+), 193 deletions(-) delete mode 100644 docs/client/client-gajim_xmpp_client.md delete mode 100644 docs/u_e-xmpp-enable.md delete mode 100644 docs/u_e-xmpp-faq.md diff --git a/docs/client/client-gajim_xmpp_client.md b/docs/client/client-gajim_xmpp_client.md deleted file mode 100644 index 85e6ff194..000000000 --- a/docs/client/client-gajim_xmpp_client.md +++ /dev/null @@ -1 +0,0 @@ -# WIP diff --git a/docs/firststeps-rp.md b/docs/firststeps-rp.md index d33d03a0b..d3ef9ba9b 100644 --- a/docs/firststeps-rp.md +++ b/docs/firststeps-rp.md @@ -48,13 +48,11 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work **Take care of highlighted lines.** -``` apache hl_lines="2 5 6 12 13 19 22 23 26 27 28 29 34 35" +``` apache hl_lines="2 10 11 17 22 23 24 25 30 31" ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* - ServerAlias xmpp_prefix_if_any.domain - ServerAlias *.xmpp_prefix_if_any.domain RewriteEngine on RewriteCond %{HTTPS} off @@ -70,8 +68,6 @@ Let's Encrypt will follow our rewrite, certificate requests in mailcow will work ServerName CHANGE_TO_MAILCOW_HOSTNAME ServerAlias autodiscover.* ServerAlias autoconfig.* - ServerAlias xmpp_prefix_if_any.domain - ServerAlias *.xmpp_prefix_if_any.domain # You should proxy to a plain HTTP session to offload SSL processing ProxyPass /Microsoft-Server-ActiveSync http://127.0.0.1:8080/Microsoft-Server-ActiveSync connectiontimeout=4000 @@ -106,13 +102,13 @@ Let's Encrypt will follow our rewrite, certificate requests will work fine. server { listen 80 default_server; listen [::]:80 default_server; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; - server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.* xmpp_prefix_if_any.domain *.xmpp_prefix_if_any.domain; + server_name CHANGE_TO_MAILCOW_HOSTNAME autodiscover.* autoconfig.*; ssl_certificate MAILCOW_PATH/data/assets/ssl/cert.pem; ssl_certificate_key MAILCOW_PATH/data/assets/ssl/key.pem; diff --git a/docs/index.md b/docs/index.md index ef76ed5ef..d8b09f192 100644 --- a/docs/index.md +++ b/docs/index.md @@ -67,7 +67,6 @@ Each container represents a single application. - [ACME](https://letsencrypt.org/) - [ClamAV](https://www.clamav.net/) (optional) - [Dovecot](https://www.dovecot.org/) -- [ejabberd](https://www.ejabberd.im/) - [MariaDB](https://mariadb.org/) - [Memcached](https://www.memcached.org/) - [Netfilter](https://www.netfilter.org/) (Fail2ban-like integration by [@mkuron](https://github.com/mkuron)) @@ -94,6 +93,4 @@ Each container represents a single application. - sogo-web-vol-1 - solr-vol-1 - vmail-index-vol-1 -- vmail-vol-1 -- xmpp-upload-vol-1 -- xmpp-vol-1 +- vmail-vol-1 \ No newline at end of file diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 8ece0257c..6c5df19f3 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -70,9 +70,6 @@ If you have a firewall in front of mailcow, please make sure that these ports ar | Dovecot POP3S | TCP | 995 | dovecot-mailcow | `${POPS_PORT}` | | Dovecot ManageSieve | TCP | 4190 | dovecot-mailcow | `${SIEVE_PORT}` | | HTTP(S) | TCP | 80/443 | nginx-mailcow | `${HTTP_PORT}` / `${HTTPS_PORT}` | -| XMPP (c2s) | TCP | 5222 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | -| XMPP (s2s) | TCP | 5269 | ejabberd-mailcow | `${XMPP_C2S_PORT}` | -| XMPP (upload) | TCP | 5443 | ejabberd-mailcow | `${XMPP_HTTPS_PORT}` | To bind a service to an IP address, you can prepend the IP like this: `SMTP_PORT=1.2.3.4:25` diff --git a/docs/u_e-xmpp-enable.md b/docs/u_e-xmpp-enable.md deleted file mode 100644 index 3d4dc0adf..000000000 --- a/docs/u_e-xmpp-enable.md +++ /dev/null @@ -1,98 +0,0 @@ -XMPP is provided by ejabberd, which describes itself as robust, scalable and extensible XMPP Server. - -So first of all, thanks to ejabberd and its contributers! - -## Enable XMPP in mailcow - -To enable XMPP for a domain, you need to edit the given domain in mailcow UI: - -![Screen1](https://i.imgur.com/oLyHBke.png) - -The chosen prefix will be used to derive your XMPP login. - -A prefix **xmpp_prefix** for the mailbox user `cowboy@develcow.de` would equal to the JID `cowboy@xmpp_prefix.develcow.de`. - -!!! info - The login passwords for mail and XMPP are the same. XMPP users are authenticated against mailcow. - -Before enabling XMPP for a domain, you should create two CNAME records in DNS: - -``` -# CNAMES -# Name Type Value -xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) -*.xmpp_prefix IN CNAME mail.example.org. (your ${MAILCOW_HOSTNAME}) -``` - -These two CNAMEs are essential for acquiring a certificate. Please **do not** add "xmpp_prefix.domain.tld" as name to `ADDITIONAL_SAN`. - -Make sure your CNAMEs are correct. Enable XMPP for your domain now. - -If you enabled XMPP first and then added your DNS records there is no need to worry. You will just need to wait for ejabberd to automatically acquire the certificates or -simply restart ejabberd-mailcow to trigger the process immediately: `docker-compose restart ejabberd-mailcow`. - -Once ejabberd is enabled, you may want to re-run the DNS check in the mailcow UI where you will find two more SRV records: - -![Screen2](https://i.imgur.com/IxlUZ7y.png) - -``` -# SRV records -# Name Type Value -_xmpp-client._tcp.xmpp_prefix IN SRV 10 1 5222 mail.example.org. (your ${MAILCOW_HOSTNAME}) -_xmpp-server._tcp.xmpp_prefix IN SRV 10 1 5269 mail.example.org. (your ${MAILCOW_HOSTNAME}) -``` - -There is no need to restart ejabberd, add these SRV records whenever you like. These records are crucial for autoconfiguration of XMPP clients and server-to-server connections. - -## ACL - -A domain administrator can be given the right to toggle XMPP access for domains and mailboxes, promoting users to XMPP administrators (WIP) and to change the prefix: - -![Screen3](https://i.imgur.com/OxKuDFU.png) - -## Verify certificates - -Once everything is setup, make sure ejabberd was able to acquire certificates: - -If you see a message similar to... - -``` -ejabberd-mailcow_1 | 2021-02-13 14:40:19.507956+01:00 [error] Failed to request certificate for im.example.org, pubsub.im.example.org and 3 more hosts: Challenge failed for domain conference.im.example.org: ACME server reported: DNS problem: NXDOMAIN looking up A for conference.im.example.org - check that a DNS record exists for this domain (error type: dns) -``` - -...you may need to recheck your DNS configuration or restart ejabberd-mailcow to restart the process in case of slow DNS propagation. - -Opening `https://xmpp_prefix.domain.tld:5443/upload` should point you to a 404 page with a valid certificate. - -## Why can't we use no prefix? - -It does not matter which server name we point our SRV to, Jabber will always rely on the domain given in a JID. We would need to acquire a certificate for the SLD `domain.tld`, which hardly anyone wants to point to its mail system. - -We are sorry for this circumstance. As soon as we implemented Servercows DNS API, this may be reconsidered. - -## My reverse proxy does not work anymore - -If your reverse proxy is configured to point to a site like `webmail.domain.tld` **which mailcow is not aware of** (as in MAILCOW_HOSTNAME does **not** match `webmail.domain.tld`), you may now be redirected to the default ejabberd Nginx site. - -That's because mailcow does not know it should respond to `webmail.domain.tld` with mailcow UI. - -### Method 1 - -A more simple approach is defining `ADDITIONAL_SERVER_NAMES` in `mailcow.conf`: - -``` -ADDITIONAL_SERVER_NAMES=webmail.domain.tld -``` - -Run `docker-compose up -d` to apply. - -### Method 2 - -In your reverse proxy configuration, make sure you set a "Host" header that mailcow actually services, similar to this (Nginx example): - -``` -proxy_set_header Host MAILCOW_HOSTNAME; -# Instead of proxy_set_header Host $http_host; -``` - -Now you can use whatever name you like, as long mailcow receives a known "Host" header. diff --git a/docs/u_e-xmpp-faq.md b/docs/u_e-xmpp-faq.md deleted file mode 100644 index eef2d45b3..000000000 --- a/docs/u_e-xmpp-faq.md +++ /dev/null @@ -1,76 +0,0 @@ -## FAQ - -Please find the most frequently asked questions with their corresponding configuration in `data/conf/ejabberd/ejabberd.yml` (if any). - -- **I do not want to run ejabberd, is there a `SKIP_XMPP` variable?** - -No, there is not. But you don't need one either. - -The xmppd behaves the same way as SOGo or Solr do when disabled. A shell will be idling and ejabberd will **not** be started (but open unconnected ports). - -As soon as a domain is enabled for XMPP, the container will be restarted and ejabberd bootstrapped. - -ejabberd is **very** light on resources, you may want to give it a try. - -- **Are messages stored on the server?** - -Not by default. The default setting is to disable the message archive via mod_mam but allow users to enable the function if they want to: - -``` - mod_mam: - clear_archive_on_room_destroy: true - default: never - compress_xml: true - request_activates_archiving: true -``` - -- **Are uploaded files stored on the server?** - -Yes, uploaded files are stored in the volume `xmpp-uploads-vol-1`. - -The retention policy saves them for 30 days: - -``` - mod_http_upload_quota: - max_days: 30 -``` - -- **Are messages stored when a JID is offline?** - -Yes, up to 1000 messages are stored for "normal" users and administrators: - -``` -shaper_rules: - max_user_offline_messages: - 1000: admin - 1000: all -``` - -- **Are messages written in group chats stored?** - -No, messages are not stored: - -``` - mod_muc: - default_room_options: - mam: false -``` - -- **Are group chats persistent when the last participant leaves?** - -No, they will vanish: - -``` - mod_muc: - default_room_options: - persistent: false -``` - -- **How many client sessions can be open at the same time?** - -10 sessions are allowed per user. - -``` -shaper_rules: - max_user_sessions: 10 -``` diff --git a/mkdocs.yml b/mkdocs.yml index 65a3b113a..6f64f5853 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -99,9 +99,6 @@ nav: - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' - - 'XMPP': - - 'FAQ': 'u_e-xmpp-faq.md' - - 'Enable XMPP': 'u_e-xmpp-enable.md' - 'Docker': - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' @@ -114,7 +111,6 @@ nav: - 'Android': 'client/client-android.md' - 'Apple macOS / iOS': 'client/client-apple.md' - 'eM Client': 'client/client-emclient.md' - - 'Gajim XMPP client': 'client/client-gajim_xmpp_client.md' - 'KDE Kontact': 'client/client-kontact.md' - 'Microsoft Outlook': 'client/client-outlook.md' - 'Mozilla Thunderbird': 'client/client-thunderbird.md' From d7289022613cbef5e9464e20692f986f4c811e31 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 4 Jul 2021 17:14:05 +0200 Subject: [PATCH 154/288] Update debug-reset_pw.md Related to https://github.com/mailcow/mailcow-dockerized/pull/4162 --- docs/debug-reset_pw.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-reset_pw.md b/docs/debug-reset_pw.md index 149d73124..485ca877a 100644 --- a/docs/debug-reset_pw.md +++ b/docs/debug-reset_pw.md @@ -1,6 +1,6 @@ ## mailcow Admin Account -Reset mailcow admin to `admin:moohoo`. Older mailcow: dockerized installations may find `mailcow-reset-admin.sh` in their mailcow root directory (mailcow_path). +Resets the mailcow admin account to a random password. Older mailcow: dockerized installations may find the `mailcow-reset-admin.sh` script in their mailcow root directory (mailcow_path). ``` cd mailcow_path From 340d34556e2439fdde735fef4e034ac727dd45c1 Mon Sep 17 00:00:00 2001 From: MAGIC Date: Sat, 10 Jul 2021 15:33:11 +0200 Subject: [PATCH 155/288] [GH-Actions][pages] Update mkdocs-material to 7.1.10 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 159e6f6f1..f539edc2d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 5ca3a161e..e30f2e930 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.9 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 20ba3392626ebe8e7fdb5e60130d61b61f4a0cc0 Mon Sep 17 00:00:00 2001 From: cybernet Date: Sun, 18 Jul 2021 12:21:01 +0100 Subject: [PATCH 156/288] one liner --- docs/i_u_m_install.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 444cb558b..764f462cc 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -13,8 +13,7 @@ Quick installation for most operation systems: ``` curl -sSL https://get.docker.com/ | CHANNEL=stable sh # After the installation process is finished, you may need to enable the service and make sure it is started (e.g. CentOS 7) -systemctl enable docker.service -systemctl start docker.service +systemctl enable --now docker ``` - Docker-Compose From 901d00554cf5b56a6c6df110256789437985fbc9 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 18 Jul 2021 19:21:23 +0200 Subject: [PATCH 157/288] [GH-Actions][pages] Update mkdocs-material to 7.1.11 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f539edc2d..7b3ac61fb 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index e30f2e930..75f507540 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.10 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 88a240885a4ce6bbae072bd3dd35bbabd062dcbe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 19 Jul 2021 09:39:43 +0200 Subject: [PATCH 158/288] Update u_e-nginx.md --- docs/u_e-nginx.md | 31 ++++++++++++++++++++++++++----- 1 file changed, 26 insertions(+), 5 deletions(-) diff --git a/docs/u_e-nginx.md b/docs/u_e-nginx.md index 9581dd9b6..b82081aea 100644 --- a/docs/u_e-nginx.md +++ b/docs/u_e-nginx.md @@ -1,11 +1,19 @@ +## SSL + +Please see [Advanced SSL](https://mailcow.github.io/mailcow-dockerized-docs/firststeps-ssl/) and explicitly check `ADDITIONAL_SERVER_NAMES` for SSL configuration. + +Please do not add ADDITIONAL_SERVER_NAMES when you plan to use a different web root. + +## New site + To create persistent (over updates) sites hosted by mailcow: dockerized, a new site configuration must be placed inside `data/conf/nginx/`: +A good template to begin with: + ``` nano data/conf/nginx/my_custom_site.conf ``` -A good template to begin with: - ``` hl_lines="16" server { ssl_certificate /etc/ssl/mail/cert.pem; @@ -19,15 +27,20 @@ server { ssl_session_tickets off; index index.php index.html; client_max_body_size 0; + # Location: data/web root /web; + # Location: data/web/mysite.com + #root /web/mysite.com include /etc/nginx/conf.d/listen_plain.active; include /etc/nginx/conf.d/listen_ssl.active; server_name mysite.example.org; server_tokens off; + # This allows acme to be validated even with a different web root location ^~ /.well-known/acme-challenge/ { - allow all; default_type "text/plain"; + rewrite /.well-known/acme-challenge/(.*) /$1 break; + root /web/.well-known/acme-challenge/; } if ($scheme = http) { @@ -36,8 +49,14 @@ server { } ``` +## New site with proxy to a remote location + Another example with a reverse proxy configuration: +``` +nano data/conf/nginx/my_custom_site.conf +``` + ``` hl_lines="16 28" server { ssl_certificate /etc/ssl/mail/cert.pem; @@ -77,8 +96,9 @@ server { } ``` +## Config expansion in mailcows Nginx -The filename is not important, as long as the filename carries a .conf extension. +The filename used for a new site is not important, as long as the filename carries a .conf extension. It is also possible to extend the configuration of the default file `site.conf` file: @@ -86,7 +106,7 @@ It is also possible to extend the configuration of the default file `site.conf` nano data/conf/nginx/site.my_content.custom ``` -This filename does not need to have a ".conf" extension, but follows the pattern `site.*.custom`, where `*` is a custom name. +This filename does not need to have a ".conf" extension but follows the pattern `site.*.custom`, where `*` is a custom name. If PHP is to be included in a custom site, please use the PHP-FPM listener on phpfpm:9002 or create a new listener in `data/conf/phpfpm/php-fpm.d/pools.conf`. @@ -96,3 +116,4 @@ Restart Nginx (and PHP-FPM, if a new listener was created): docker-compose restart nginx-mailcow docker-compose restart php-fpm-mailcow ``` + From cd0f49780c16aae712b5614ad09bb723c335167e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Wed, 21 Jul 2021 15:36:39 +0200 Subject: [PATCH 159/288] Update b_n_r_backup.md --- docs/b_n_r_backup.md | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md index 271a7b94e..60e6c301e 100644 --- a/docs/b_n_r_backup.md +++ b/docs/b_n_r_backup.md @@ -72,3 +72,26 @@ if [ $RESULT -ne 0 ] cat "$OUT" fi ``` + +# Backup strategy with rsync and mailcow backup script + +Create the destination directory for mailcows helper script: +``` +mkdir -p /external_share/backups/backup_script +``` + +Create cronjobs: +``` +25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /external_share/backups/mailcow-dockerized +40 2 * * * rsync -aH --delete /var/lib/docker/volumes /external_share/backups/var_lib_docker_volumes +5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/external_share/backups/backup_script /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +# If you want to, use the acl util to backup permissions of some/all folders/files: getfacl -Rn /path +``` + +On the destination (in this case `/external_share/backups`) you may want to have snapshot capabilities (ZFS, Btrfs etc.). Snapshot daily and keep for n days for a consistent backup. +Do **not** rsync to a Samba share, you need to keep the correct permissions! + +To restore you'd simply need to run rsync the other way round and restart Docker to re-read the volumes. Run `docker-compose pull` and `docker-compose up -d`. + +If you are lucky Redis and MariaDB can automatically fix the inconsistent databases (if they _are_ inconsistent). +In case of a corrupted database you'd need to use the helper script to restore the inconsistent elements. If a restore fails, try to extract the backups and copy the files back manually. Keep the file permissions! From 4971da683d97a38294c1e0e28985127ff88f076c Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 24 Jul 2021 22:40:26 +0200 Subject: [PATCH 160/288] [GH-Actions][pages] Update mkdocs-material to 7.2.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7b3ac61fb..dcbbcaf7d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 75f507540..4c1e7650e 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.1.11 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 99f68615239c15c2c753f8704ef07305c1111a80 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 25 Jul 2021 22:08:37 +0200 Subject: [PATCH 161/288] [GH-Actions][pages] Update mkdocs-material to 7.2.1 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index dcbbcaf7d..4ea2d63eb 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 4c1e7650e..57be3bf5a 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.0 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8a66d36c7c8d39de1cf969d5881e3d59db0e5ee0 Mon Sep 17 00:00:00 2001 From: Patrik Kernstock Date: Fri, 30 Jul 2021 23:17:14 +0100 Subject: [PATCH 162/288] Updated indentation of YAML file --- mkdocs.yml | 216 ++++++++++++++++++++++++++--------------------------- 1 file changed, 108 insertions(+), 108 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6f64f5853..27e14debf 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -20,113 +20,113 @@ markdown_extensions: - pymdownx.extra - footnotes nav: -- 'Information & Support': 'index.md' -- 'Prerequisites': - - 'Prepare your system': 'prerequisite-system.md' - - 'DNS setup': 'prerequisite-dns.md' -- 'Installation, Update & Migration': - - 'Installation': 'i_u_m_install.md' - - 'Update': 'i_u_m_update.md' - - 'Migration': 'i_u_m_migration.md' - - 'Deinstallation': 'i_u_m_deinstall.md' -- 'Post Installation Tasks': - - 'Advanced SSL': 'firststeps-ssl.md' - - 'Disable IPv6': 'firststeps-disable_ipv6.md' - - 'IP bindings': 'firststeps-ip_bindings.md' - - 'Local MTA on Docker host': 'firststeps-local_mta.md' - - 'Logging': 'firststeps-logging.md' - - 'Relayhosts': 'firststeps-relayhost.md' - - 'Reverse Proxy': 'firststeps-rp.md' - - 'Rspamd UI': 'firststeps-rspamd_ui.md' - - 'SNAT': 'firststeps-snat.md' - - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Add trusted networks': 'firststeps-trust_networks.md' -- 'Models': - - 'ACL': 'model-acl.md' - - 'Password hashing': 'model-passwd.md' - - 'Sender and receiver model': 'model-sender_rcv.md' -- 'General Troubleshooting': - - 'Introduction': debug.md - - 'Logs': 'debug-logs.md' - - 'Attach a Container': 'debug-attach_service.md' - - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' - - 'Remove Persistent Data': 'debug-rm_volumes.md' - - 'Common Problems': 'debug-common_problems.md' - - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - - 'Reset TLS certificates': 'debug-reset-tls.md' -- 'Backup & Restore': - - 'Helper script': - - 'Backup': 'b_n_r_backup.md' - - 'Restore': 'b_n_r_restore.md' - - 'Manually': - - 'Maildir': 'u_e-backup_restore-maildir.md' - - 'MySQL': 'u_e-backup_restore-mysql.md' -- 'Manual/Guides/Examples': - - 'mailcow UI': - - 'Configuration': 'u_e-mailcow_ui-config.md' - - 'CSS overrides': 'u_e-mailcow_ui-css.md' - - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - - 'Pushover': 'u_e-mailcow_ui-pushover.md' - - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' - - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - - 'Tagging': 'u_e-mailcow_ui-tagging.md' - - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - - 'WebAuthn / FIDO2': 'u_e-fido2.md' - - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' - - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' - - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' - - 'Unbound': - - 'Using an external DNS service': 'u_e-unbound-fwd.md' - - 'Dovecot': - - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - - 'FTS (Solr)': 'u_e-dovecot-fts.md' - - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' - - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' - - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' - - 'Public folders': 'u_e-dovecot-public_folder.md' - - 'Static master user': 'u_e-dovecot-static_master.md' - - 'Nginx': - - 'Custom sites': 'u_e-nginx.md' - - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - - 'Redis': 'u_e-redis.md' - - 'Rspamd': 'u_e-rspamd.md' - - 'SOGo': 'u_e-sogo.md' - - 'Docker': - - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' - - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' - - 'Why unbound?': 'u_e-why_unbound.md' - - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' -- 'Client Configuration': - - 'Overview': 'client.md' - - 'Android': 'client/client-android.md' - - 'Apple macOS / iOS': 'client/client-apple.md' - - 'eM Client': 'client/client-emclient.md' - - 'KDE Kontact': 'client/client-kontact.md' - - 'Microsoft Outlook': 'client/client-outlook.md' - - 'Mozilla Thunderbird': 'client/client-thunderbird.md' - - 'Windows Mail': 'client/client-windows.md' - - 'Windows Phone': 'client/client-windowsphone.md' - - 'Manual configuration': 'client/client-manual.md' -- 'Third party apps': - - 'Borgmatic Backup': 'third_party-borgmatic.md' - - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - - 'Gitea': 'third_party-gitea.md' - - 'Gogs': 'third_party-gogs.md' - - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - - 'Nextcloud': 'third_party-nextcloud.md' - - 'Portainer': 'third_party-portainer.md' - - 'Roundcube': 'third_party-roundcube.md' - - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' + - 'Information & Support': 'index.md' + - 'Prerequisites': + - 'Prepare your system': 'prerequisite-system.md' + - 'DNS setup': 'prerequisite-dns.md' + - 'Installation, Update & Migration': + - 'Installation': 'i_u_m_install.md' + - 'Update': 'i_u_m_update.md' + - 'Migration': 'i_u_m_migration.md' + - 'Deinstallation': 'i_u_m_deinstall.md' + - 'Post Installation Tasks': + - 'Advanced SSL': 'firststeps-ssl.md' + - 'Disable IPv6': 'firststeps-disable_ipv6.md' + - 'IP bindings': 'firststeps-ip_bindings.md' + - 'Local MTA on Docker host': 'firststeps-local_mta.md' + - 'Logging': 'firststeps-logging.md' + - 'Relayhosts': 'firststeps-relayhost.md' + - 'Reverse Proxy': 'firststeps-rp.md' + - 'Rspamd UI': 'firststeps-rspamd_ui.md' + - 'SNAT': 'firststeps-snat.md' + - 'Sync job migration': 'firststeps-sync_jobs_migration.md' + - 'Add trusted networks': 'firststeps-trust_networks.md' + - 'Models': + - 'ACL': 'model-acl.md' + - 'Password hashing': 'model-passwd.md' + - 'Sender and receiver model': 'model-sender_rcv.md' + - 'General Troubleshooting': + - 'Introduction': debug.md + - 'Logs': 'debug-logs.md' + - 'Attach a Container': 'debug-attach_service.md' + - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' + - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' + - 'Remove Persistent Data': 'debug-rm_volumes.md' + - 'Common Problems': 'debug-common_problems.md' + - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Reset TLS certificates': 'debug-reset-tls.md' + - 'Backup & Restore': + - 'Helper script': + - 'Backup': 'b_n_r_backup.md' + - 'Restore': 'b_n_r_restore.md' + - 'Manually': + - 'Maildir': 'u_e-backup_restore-maildir.md' + - 'MySQL': 'u_e-backup_restore-mysql.md' + - 'Manual/Guides/Examples': + - 'mailcow UI': + - 'Configuration': 'u_e-mailcow_ui-config.md' + - 'CSS overrides': 'u_e-mailcow_ui-css.md' + - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' + - 'Pushover': 'u_e-mailcow_ui-pushover.md' + - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' + - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' + - 'Tagging': 'u_e-mailcow_ui-tagging.md' + - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' + - 'WebAuthn / FIDO2': 'u_e-fido2.md' + - 'Postfix': + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' + - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' + - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' + - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' + - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' + - 'Unbound': + - 'Using an external DNS service': 'u_e-unbound-fwd.md' + - 'Dovecot': + - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' + - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' + - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' + - 'FTS (Solr)': 'u_e-dovecot-fts.md' + - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' + - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' + - 'More Examples with DOVEADM': 'u_e-dovecot-more.md' + - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' + - 'Public folders': 'u_e-dovecot-public_folder.md' + - 'Static master user': 'u_e-dovecot-static_master.md' + - 'Nginx': + - 'Custom sites': 'u_e-nginx.md' + - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' + - 'Redis': 'u_e-redis.md' + - 'Rspamd': 'u_e-rspamd.md' + - 'SOGo': 'u_e-sogo.md' + - 'Docker': + - 'Customize Dockerfiles': 'u_e-docker-cust_dockerfiles.md' + - 'Docker Compose Bash Completion': 'u_e-docker-dc_bash_compl.md' + - 'Why unbound?': 'u_e-why_unbound.md' + - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' + - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' + - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' + - 'Client Configuration': + - 'Overview': 'client.md' + - 'Android': 'client/client-android.md' + - 'Apple macOS / iOS': 'client/client-apple.md' + - 'eM Client': 'client/client-emclient.md' + - 'KDE Kontact': 'client/client-kontact.md' + - 'Microsoft Outlook': 'client/client-outlook.md' + - 'Mozilla Thunderbird': 'client/client-thunderbird.md' + - 'Windows Mail': 'client/client-windows.md' + - 'Windows Phone': 'client/client-windowsphone.md' + - 'Manual configuration': 'client/client-manual.md' + - 'Third party apps': + - 'Borgmatic Backup': 'third_party-borgmatic.md' + - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' + - 'Gitea': 'third_party-gitea.md' + - 'Gogs': 'third_party-gogs.md' + - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' + - 'Nextcloud': 'third_party-nextcloud.md' + - 'Portainer': 'third_party-portainer.md' + - 'Roundcube': 'third_party-roundcube.md' + - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: logo: 'images/logo.svg' extra: @@ -144,4 +144,4 @@ plugins: - search - redirects: redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From 32dcb9a0b6d2617c3369558d4922541cee25c931 Mon Sep 17 00:00:00 2001 From: Alexander Holzapfel Date: Sat, 31 Jul 2021 00:20:53 +0200 Subject: [PATCH 163/288] Add pre_ and post_update_hook doc (#284) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Add pre_ and post_update_hook doc * Add hint for hook to update page * Update u_e-update-hooks.md Co-authored-by: André Peters Co-authored-by: Patrik Kernstock --- docs/i_u_m_update.md | 4 ++++ docs/u_e-update-hooks.md | 10 ++++++++++ mkdocs.yml | 25 +++++++++++++------------ 3 files changed, 27 insertions(+), 12 deletions(-) create mode 100644 docs/u_e-update-hooks.md diff --git a/docs/i_u_m_update.md b/docs/i_u_m_update.md index d20b76676..f3be9af67 100644 --- a/docs/i_u_m_update.md +++ b/docs/i_u_m_update.md @@ -66,6 +66,10 @@ docker-compose pull docker-compose up -d ``` +### Hooks + +You can hook into the update mechanism by adding scripts called `pre_commit_hook.sh` and `post_commit_hook.sh` to your mailcows root directory. See [this](./u_e-update-hooks.md) for more details. + ## Footnotes - There is no release cycle regarding updates. diff --git a/docs/u_e-update-hooks.md b/docs/u_e-update-hooks.md new file mode 100644 index 000000000..1d61bbe1c --- /dev/null +++ b/docs/u_e-update-hooks.md @@ -0,0 +1,10 @@ +It is possible to add pre- and post-update-hooks to the `update.sh` script that upgrades your whole mailcow installation. + +To do so, just add the corresponding bash script into your mailcows root directory: + +* `pre_update_hook.sh` for commands that should run before the update +* `post_uddate_hook.sh` for commands that should run after the update is completed + +Keep in mind that `pre_update_hook.sh` runs every time you call `update.sh` and `post_update_hook.sh` will only run if the update was successful and the script doesn't have to be re-run. + +The scripts will be run by bash, an interpreter (e.g. `#!/bin/bash`) as well as an execute permission flag ("+x") are not required. diff --git a/mkdocs.yml b/mkdocs.yml index 27e14debf..518e0872a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,6 +1,6 @@ -site_name: 'mailcow: dockerized documentation' +site_name: "mailcow: dockerized documentation" site_url: https://mailcow.github.io/mailcow-dockerized-docs/ -copyright: 'Copyright © 2021 André Peters' +copyright: "Copyright © 2021 André Peters" repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ @@ -46,7 +46,7 @@ nav: - 'Password hashing': 'model-passwd.md' - 'Sender and receiver model': 'model-sender_rcv.md' - 'General Troubleshooting': - - 'Introduction': debug.md + - 'Introduction': 'debug.md' - 'Logs': 'debug-logs.md' - 'Attach a Container': 'debug-attach_service.md' - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' @@ -106,6 +106,7 @@ nav: - 'Autodiscover / Autoconfig': 'u_e-autodiscover_config.md' - 'Redirect HTTP to HTTPS': 'u_e-80_to_443.md' - 'Re-enable TLS 1.0 and TLS 1.1': 'u_e-reeanble-weak-protocols.md' + - "Run scripts before and after updates": "u_e-update-hooks.md" - 'Client Configuration': - 'Overview': 'client.md' - 'Android': 'client/client-android.md' @@ -128,20 +129,20 @@ nav: - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' icon: - logo: 'images/logo.svg' + logo: "images/logo.svg" extra: palette: - primary: 'indigo' - accent: 'orange' + primary: "indigo" + accent: "orange" social: - icon: fontawesome/solid/globe-americas link: https://mailcow.email - icon: fontawesome/brands/github-alt link: https://github.com/mailcow -extra_css: [extra.css] -extra_javascript: [clients.js] +extra_css: [ extra.css ] +extra_javascript: [ clients.js ] plugins: - - search - - redirects: - redirect_maps: - 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' + - search + - redirects: + redirect_maps: + 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' From ac219b0c649d9b7f2af2a82d55e8fbdb3af09227 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 31 Jul 2021 15:38:51 +0200 Subject: [PATCH 164/288] [GH-Actions][pages] Update mkdocs-material to 7.2.2 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4ea2d63eb..5b97014ff 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 57be3bf5a..d66bd5612 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.1 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 07b2a2f7622aa9f3c09ae0c185bcd9c0af0d811f Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 10 Aug 2021 19:12:20 +0200 Subject: [PATCH 165/288] [GH-Actions][pages] Update mkdocs-material to 7.2.3 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 5b97014ff..b5e0a3906 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index d66bd5612..270b3dff1 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.2 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 105a5ce495312c029bb4b788a49235ff1e1ae327 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 10 Aug 2021 19:14:43 +0200 Subject: [PATCH 166/288] Fix logo and favicon --- docs/images/favicon.png | Bin 6856 -> 10281 bytes mkdocs.yml | 11 ++++++----- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/images/favicon.png b/docs/images/favicon.png index 6390041d6004a1dd9c8793ba386ce2a2662d940d..fe6156078be3bb14a2035117bdbc5d116c0cf470 100644 GIT binary patch literal 10281 zcmY*fRa9I}kjCA0(4d3EFgOJF;4VQ17~CbeySuvucM0xp0TP0Ha0n7K=<=U^*?s8h z(|vCB?UH-Dy6THkRhGp>BSnLOfx(oQlTv^0GyiKSNbeLdNJahL!Mdu;O2E{8CqI54 zAXthkiNnA&CZIo?Aij@Lo#gaf-p4n?JywR>Mjb4xMSzOIrZ^$sl55W$JQSVgy|I-4Nx7RI|E$|t_ z0|*WpxK-UA-+6zCmZkgCgl0Qz7@aW*Rxt3M5bg3avnUST- z;5m>K#RI$OX-~53s@YmN9rSO=_uJP=wGC?gYL;cW4`frT(&n+G47}h*!2!|`zJOoK zn#R9u5R8}X;kNkf5WfWc!4PfzgV^WR8noyqE7tW|g1?68bmPD`*P)-I_RiH$iV_yq z=iYQx6BppOh12`EWBE`guJF((&1bb}4{AB)Lt9cTHBwxFX792N!nQ9#E3L~={V+Geq z3XccqL}6>yYawRo5;n+48Y?)n+CJV`tN!IB%HQmI*Xe84bNpgq-!F$ib6_LaX^+EJ zH-fpBv(w(i(4Ge?%uJcqg9X&oe25g2A$VexTYBnlgNox;U`cKqprZ2EM_;2$-ls~9 zkkjEng3+IBXupe_kEr{A71(Dmcv1qj1u8 zB*Rl?=Z*0Jet!0XbWix^>dSYAl3qt@*jVP%nepMtK%P|Ql<}YKUOwXrPYXU*BRaRyKOr-|X)lr|3*s zvX&0f7Op_zmN$;LN(8(_PII~Z_6B+7jcQhnk4yDHFiWD^6E()L661#P@3xs2tQUg2 zwaG}uuPG%fkm!zW4zc*M0xP=zN`35-HmZhC1A@V7*t#WFoqwq>AHNvr7QZ!6tJ`5$f|T1H zv!ikcDoIkZXOCgf<%`yNe~$h3uZYvj_}79Bf|3w+C~p4GogZHdqZxY)Kv>~RcyY#h zM>JsYyt;1KDKqUXp5e!ph|C$d9KWlAH^H7Afk?s(XavDbIf0zkXqnuK=MJ!lXbX^!{0x-=HtyNPCV3U$KsDVJN&Hck>n(?>P^mK{WCtpVP$%rQG zi^3KV`s8N0#BrC@->k9*?(x-Mi-brCE{Mdyn+dZG$RYw?rsxDF5$M3XW1z*^0kk=U zNuIX>!Fe*`yYo8{!B8qs8<$c*(cj4*hjGo-J4cE*6c~hC5{F!WwyanxWMZPx@YU&K zqLbOAB~z5}$4e!&kkGplVq{@4*ZV4JE~iI=j8<{;`;GRKi1}A~MK`b9$Qjf+Dz0cU z9Gp1&RAotnf$sx^7GUZ>xxbNurjEUNM@jBpUeMP~erfV$f=1);EiK(u+#Qv4OcSGQ zOh~YCh^5%e(>n*@_{gl5s(6@yX46?hId&~g-JZZIC?m_{4r$KYu=ThAxxkwwYih|fuQpI+43q$t`2x`dXw(%byY78}x&#!_nXe6- z4W&4rw#pm3dxJf!Ibd~ushZ*i_r!FOo!%19-4!+J za-P$kaPitlC5+Ht#gZy07=p7=RgqbAc4Ac~wYbl?klvAkd&DrO%Llz99-EI0bxHAc zPNqzT4BlK5UX0JH8%WnCYNZ8=spwO3pPffzyqjh%ap~xQ*1($F zT)S~ag|L=Voy2S$c&4kQMDlw)btCD7ux9xC|M9%Eq~+T(-*oc6Kx+44!YM8g4Qp9|{?$tl zEYtW%#mMvuV>0ksb$a={>WtI$2fIDM^R}F~(;LSKp_x~(gT&#F;qZw^@Ls2ydkB9J z&+!6s_7^gkzB@pvjix*>JH#ADHZDrMhI4atgER6tl4&A7xH}XX$7>(vx!Es$H@dUY zLtxLmcSiz4vjjjZ#DZ@m8#eHBd&tTBiClaB$EVaO#QQ~SF*T$$(_wYsAN`TaZ?0jNO;T|QI z1d*3VS2+BlL zQ;UHZ%X_x-c_%>ya?zM>|7`qG!@m8?^VTb3`Dt9DZWZ;-e`d0(gS#CglqxnM!HV3Y zeQ);~YhLWU$ru~L-=e0w4bWCNE(Vf#rpGSBTS6I|lEVsrzA`_<8f=K@Bohm((l;d3 zKqZ8_okhB%{l(Lz+49`aAPgPfNhdlG1AdD4D*NIS!C?FGCq ztVlzEfzz+)+a}wTe+7UbvUg>VfYju_HIe_QMsHgc&y~kGR|_j<9QTtn?+gx&lriFe6<;N$0#wqs$a6ago}h@uy&_WohgHSvU3XxZM@h=6OG` z8U}tUlsLCOzzRVG|BQ}g1oC0DyKI`5BH3Pjn-AT_}rNK!V#(2H5FQn0|c&f{1P+xh)K!=|MpK^ z!^`U@foFl;$83Y-43v(J(L8U~ny=Rx`YzB{D|LW=lk0LcZpEX|oCt%|rtH&%*uioBhtPDY1N+>U-Zq0hTF-tOPtW{ zzHr8EB)UN3auz|@V&S;aNH^W-2swZOAIWSg`Wo|u0)ADqC;Yh;rwOd|G++S|@RNF9 zlLp)+zur%ox3d7&kw2(+$ini9!p1~<6q)rTXB0UT;rm0~tD+U+xLsqaEI^M|yYd`C zOV^h!oXiEYg^c6>3H^sabENQ+z~DyzKmAx1^?P-=r^Hq9aVbh5WyyhBESu{ie1?Lw zyK@h5sc_$5)T!jAEjR?FZb;A=k(0f{F4syDO#<7UBOir?4C}X@#kMEV~L|||5*Jnw2eTsB<5VAz>^(*0@VT<*&XG-bu39|6=SJ{d| z1b&k`i=vX{4+;q}iNn|&4tem-^CyapxUt#t;G~EsnJdaFwwyMEtt>1gM2UQ3QAu+Q zm!{_J^ew@O`&!Jmj=NHv8-$EE)h`xULwpNU2-O@Pw@-RoFZU+!Q7{9r^j6B?*U>w20K%$WCDm)NQ*W3(}G6!2iib)}XjtCA($l($k3+a5eK;tl?w)dRGT#S|(vY2Lj zr#1af@yK8|Im#wKp#vgCc=@cvjPNcxqeP9H z{$7}&!AbPbqzj6OlDwt7lL%%vC#8^^ht!agGihH6EUr<2`#fn z@!^y%s9&~Z`w0#GZJZQjXWFd_mm`Rd(&7>s8$WV{?Ec%?GX4*)((g>Y(>61(TCR{> z>goQ~`} zUOb0Oa2%x{|AqGsijQCp)l~ zSS0)AZ}z>IVNHqJmbC|dUMk?{`m`ZA9yTOIcgupjo)q~;*Q=b2ayBw0_g63s5KD&{ z8U}hdWpK^UcEWDu^g3-nf=BX449nMKnI}V&3wj6cy}J>v8bE;vG2GqYvV-XHZi0O# zq?dSTbE?RmLSBTHa^qj-(BIj43Xy4p#bD`p;qfPw748|MwB`g3uImqO&m(ZZX`a$^ zIhACd|mH$(Wzr~tlX=r|h6^#c?^CWU!gYt|H0W}x1+Hw>y;iP(vy{T?17~|$YJ2{^DitWjx!y<~ zfrz5SKW=$UH(M`Aj{x51FZa8#E;HumRu(C|F@HHIj8ho#B4Jvf-Lqp-shY_aApbTk z)9zw-K1aMO4vJ(tSo5I0ptTtLh^;lCR+Kdy<zDYPAuEu_DU6Z1Mek3dkrAOl!Uw0?CAxVUIn|3oWl1^nf-tJ;Yki$XJ zA$K^NBLDMIgj#$r4tG{_xI0}v-{?#Ajb^Su=u}lDArXI`lpzED3j(jt0Qe**_bm+W z6g;eT9fF`O^k%Vu;MHK#w^f6?_eDRX%!TJvi;i+CgHogxhd7u)TQ#l(5n!@p`>Mt+RJNLAibK1!1Rg2SkQLWX zkN#DMv57r&Ox@T&NXxo9rT8Ie$1BE~0=pMI(mmf|3_xAsbIvMU+S}ix=EDnav6_!~mDrI0Get7yYXTq#n8r^7acBe^66` zaJnv}y*s;88R-$lZd}eAab#gc1PP7|q+SqM&g0@1RB}$!<*eP=Aco~B1AHq&NKdZv zo*b{~*OdNi_>n<@GThzwY}yN zk`Xq`Y|~U9Quh->iO$sa?H~W6sWSVQc{i4dDOe%;TXtf9djL}d!Y??ko?^lx1Spmn z@Q3T7OH_a7vP~O%jbL!f@3o%R71Ed24#{Ni40H~VuedBLXj97KkP*GT*gq8TJTQb% z@=!~2A$pL4o!jUZA_d6<2p#(7Td0q}>d~^T3g9AR;quL<+_EDZL6S;S>c1mPzMybE zghZgqII~XMKNI{7Qs8@~#|1Pw{Ur{f4tPHVZ-4*#XZ~QJarSc!+A|gOE>xMEI&m2Y zMU4t6;1V>z7$3G0=kk>jMd&3y3C`7{87pY#F8OfL(`BvRc=ZT#$^Coy=iZq15~PdA z`faSc?$b6nhl|e`OCB>JEIH-k4YN|`b1JpGETgE86dHDf7oy=7LMO=g#3?+io}cYhw{+>upW)98_#srqq zq;}eN(aCM|>+($<_2=R?N79jhywveG;{Jyp==?Gh$;_(ZALt4 z8PqeS?5awd5L~+dPBHx0-Hk8))@yOOXa1Mmu>=6T!krUsvs`1Ycp(kWgGZC|K$MSP zGVtQG_ZUQjhLOv6uCC$?66E$L2!a$0r+m01R87CvTxpyzCr)36&o{$=Y;R4_C{GVfBPRpgF-ZYa8QSO}qJ=B4ah?o>bsht+9~e|?dx z=8wp>={}K?cPF@~6=>6copAAV|FKVT%_eAeSbQurLyP zN&LiDVhP}1(EPYabtH1hpcGO+-!=hLL*?&1bPVhzZ?b?4yTa`Lh-uT@)t2K78Zv`_C5a%&5#ADxo26UO-D`W4mHEX`y%J^LBg3b3SZ;0WkVGS z2Bk{I6?q@N=FJP2eK+U?;_5PRt)UvM2_Q%RpdAmdmQsX_T{ zOhm-WB$bidpWS!a21DQZ^SPTu{cZFGG2E`wBkkgn=og6j6oa2j$K2q3kqSG8Q9VrZ z)`h;M)qL)_d?ju*59EAXK}auHi380uqIC+k$CrSI8c*k(qx!oe=@+ah)${WiSYBO= zsd!SKik!bR+0;mX7Y?qk-uVWL8|tOm7@dYuherLLBlwSf@u{PAJ_9LPeM?NVTpkH- zhJ)!B;h|xI6!k!aKgNPqbV;L}Z?xz{f@0$P! zXB{T{xuaiwU-<)mKWsZWtJ!BMP-E-^W}Ae~XXI})WbhYTy0ek^d3O=SFD7;zLmOqz zDh<+g@KkIESY8w=)(#l!n|%c8yR2)7*?bB0czASh8jV9O@`w2m?-`(CwY@WsXZt|4 z2wWXQjO*tiF=*GJAKr3ve=SrRUEp@fr7kEG69|o4a?y}%4tBw2^u zY}}0NOlP==lm5)?y!}iob6E-BXvDxoDV*(g?lmrD2HIK2L!SV&uPI;d<1m|%AJ%Vj zFZ0>uFENOo**^<6C42o?;n?iZfNyFHT}NG2Ffz^}u;_+y%yEalhLZoyk~T_6J?IHu zH`rfGj}dp?k&tL?AIulk>HK&|^c5QoJP%OhkM`y?d(xuPEj(6O)Ipiv|6Rt|4$Z29 zQtQOq0m!}@Zqww?O3;Bm`uWH1d2x5`h#e<7wSTv@Vflrn>gK7&g8=dyPq8_;j7xtq0__}Wi3Kg8uN?J{ck|NC$GI(4|MILFhdYhQ5vIk1B zK5e6_xfJvrz5KI(e;eW$2nVsp=o&Da8aMfHger2so3q%+E)$;1%S}eWi3vM<^4xu& zg(bNl6I&^Fvo-iVew`AINLbqc;Rzh-D|(63+`G z{jSXK-)n(ZSU_^=YQuViE^+fzc%}Vh%zd9o`@BD}0?uW!nsR3)kOoIH?GQPz z1b6tM;dJrJl_g4@W6>#BH#3`d4yZ)RCH*uzo*0R)Lsic5S%BJhkMVu4$oO%^?SNiq zXcgHgO5b&A7|1I(qK3x^uw!&+ufj`^p!2q<3Zd6fWbj}OO9DQF$QvSmdxUwN5aXi_ zY@QB9U{5DyJQ{HhC&gHR$nNnZfs;X~vhHqg##?-$J;;iEyOdANxa4Chd}MFCUKx0k zSz?nx`P_wUbfHGn_0?!|ZL7_0cpW;uwo5WjZ_ltH7XjlMJztU$ZhAln)I=F*TT^xm z`N8ki5BvnXh!6KpO5Dx#s#e1a<8l~06?PiF5KNEL8%kXs6M!Pw4^*Pgn?ssCMv;>z zEmSPtLC4%cQA>VT+EIZ!;ejnnqS7%yog>SHLg>1|EsItd9Hfcz7(U$bzd1<0YM^>&YOU=z}SaLUl(yrmhFlp&^baGSY9k6v+PBx><*}M0A zf(#}JhuwV113K;A2vor!`Nq@y)Hhgm-4UrabvAKKf0R)(P->zG#2c6T3c4CM`W}L8 zvE#rlC63{lkuxIQP&ry*O<-$9gv%ZGU_8mq>~@Av5>4Sl4J}rG&r-!PU(KKFxB#OWhYr2z5PcwqO z9%`~m!Qe9EYN{$6cB`HrV}fNV zYN(=l8-}P@A5o-C;)3B}+!8BCTY#4ls+l>(9kd*Kj=;K$lQ)UQT23eT{Vwmmz>+5f z{_PL_d9C?LS>`v0`mKpk`u%7{a!{o;w~(>fqdx_TK^FKKEvj*!(+V4+bycb}1oi}c zZxDPx*E7BUsvkPzM;jOkglu$CJxu79*|)6>HUi>Z}#uzw&qu|)Gy zH6Uv{>o2u> zoqJBAi0jfcCPr#cnz6ziWvE}Jn1}Pb&lxpHFl|!$6>eDZ z)VD10Ut-n*YdaIal)`QJvU5U<^C3G@VLS?k2N@J1-nnbD(N)jc7)Ub2wYn@Uqx31C z@ZV#Y6HFp?O{->Kt!mumuGo}Typl4fr%m{yA5-Bq*lC(o@9Jp;L&CJUYllPDB>!w4 zmfx6%*^Hbn$>-A6b9>sr)mSRg-ndZXv!H8R5oGPYJR~{zAq`36JI3qCIw^!1`nJsIuS>o7^MYU zjgd>IV+Zzn#3Vs15B_dTx;RJn(UZcb<{h?>XxDO|^!Y$BQ>H{`LBE9XZ<0))GX< z#Z~{nLB6YMH}Lws*w=1f%bmT8YsS-)jsu?8hY*&n^5Lsjo1h=f&k||ZZ(+1uY#we_ z&1*O{(09*q0DdWM2wnFeF@a`5BGA;b)M&(>zw<3T<1C$+So{kksd-1005(&uI4=e0Fhro z0PO|x!}>{yGx~;LxT$O696DudYWox0k-(8pjSMT!2=TVKXP<^3-wDU zNDfH~_wR>Sl+nu-RcZ}gwOy6G&KwhKLD(rWrUZwvvWtJ|#m-Np8FtaSJxZDJ3`h5K zI4Og`Q%qgA)u)qEul1)YQFGEB*D7EznVVQzhZD?$IfK@6==3mA{q3@f7n7Wuo{WE6lU=u?pf2Mt#<`kpAkbJ_&mjS(_@EU@nFrKi5 zeI2z+f)-)E5kI&vCVxB;!}0Qnf4#<(^0BRCNLZJ5M%oxM-NQS2BL?)0rS4{dfl*R) zFC(9p8p)bgnkif|TEbOqcFYC;3=qoYS^F3Zvpbox#gKJJq&B%38!1Nb&a#R&ZXpGZ-V*LBD zx%A5Ces+PnjzmwC-L$R5Cl9M@!gYbmH@0b>1syPpG~STgxbwWMZ0sBNCBT68@N@4i z*3FY?1EL|^UhuX`JSxOg7Jy_-{K4Q z|3El8W6;lF8o@U6n1qx2ju+KzW13$<3#zH6ODK!>{GzEU=>g$^Ti&X$Od`XqABbxs zQ?}y8RQ>*wzQ+~pp(`nKH$7(RfG&N1uKCA-`a7i$i4!w3)Ll6nV!m;a5g935j-T$Z znRf>U3ssc9oQ|=g61W7s6iED#-Gy^0{`zj_fV6)`9kxdZAoB}UcV05EdwJ#!L@<_8TWhf_um9D zIK7cXsV|*nHLg)rV_Z-Jr$6V5PS)?;J|Xosj39CQ+~@j?rF7;@zk`kz0=(xtkssF+ zCXdv=ihUJRwbYH!ZbVN1TG-*_`(-=V{C)1E>#J`9!n|{u#k(C=K|wf=?>IXc`dIWu zNzD8CnCvPH&aRQ?Cbs+GGHQ`UJi3XJul;OH<{d}SYCM!%Lo_?Y>;2Km)lTKLJaef7 z;iHcH;P@zB)cS*lE3V7(y*PJssH6X3Xc-**Hp76Y3=tKr+JmQ{l5eLfsbnToaZ6!-_tnJ?sZ*rup@ol*PZ zN)D^aM}8&bXFibFi#XUhW?NXWBdMRYg++fp|7rMBsig?1dML7mz_9ExZWYLme==M(S%uS9vLX+dwI7mRomUjEW>Z|=*J{=Z={%K z=6X9}RUNu&8KES%mwV2IZ!xhx?adURh9*+;TM6ADyIa{9k%?{z7xbaBh!aJ+K!j(n zhw%;jY?SlZej~9cm6fMjZ{Y)e_(2cUA_9or)LTwg=mOPe5G=}57z}IFf4*EmZ8+Cm zsfk=FicXzy7by#1q77c_oJ$YznHrswDhF#}Nl$0j7T!WzjLxjYSV+z*L}xc@KuZr% zG111ler$i4*RxqEAEA6RCha8{SzXeYLG&5C6ss>G!kdY{q7jg}rkGk5mz-g~e3|c6 zcP}I7TMw*J{Pox_Z;z+vhA*#%ydh{9Jcw$Vb47*!70Ovz??G@&I%6BMF6(gK9hjAi z-3d_^-aIsq#YZ+(%9~}xlg+vwQFgId&kcI_y@QR7M+PcX&W4P4>`&aCIOEhg;O&{~ z?<<@#hTqbEw^A_ALMwZMjgJ?LV#RrI_McWOcS^EXp?_0jQL$pfkjSR5vVdQ*Qd6|w zU06lUxSyYOt*b~IULasS*=JiF_hzGR;O5Ap0s9-m;bO=UZ$sYL(M@{?0KavSX_M!a?S8A`pK#5HpqaHGDhLb@i#-x$rn9BhP-F9XZ{*!?^9Pr8hLL8 z{ux|7+ zoQbR0P`B7R&6zc!uJ`o7G^w?yPw^&p2*w7Ekfx$VHkmTg^a_o7OdsC8-0%Y0OmBin zn}}z%ll@fGA|D4)Bz=Qun8nJ`ab1kQlRsC5&na=-OY~dlJh7#k=wP++aV@7jYTNf| zFwv~lEe4hM;_~s?7c`H(XT1V~ZsSwiS*?8Ry^W8ZucY-OT~vV=1<#bTJeByX(9DR_ z(q!z-knbr5h{TC1R;v%6@GY#IVSc;pN#?y*yhoc;0R(O!E4m(|ix+z>pYT2H!~3v- zYZMlSTqsmA_r;i4Obe?q7@B(ev8Yd;2XZM))c<17s>5*$*?_ntWX%mmv{9ZPAhZ^1 z%B$4l0C(R>dln@9n^k|n9qWFBd7HYP4(fM0Z|0aGDN2Ez1-;s95b8bNOC&hO=6)6f zm3ut30fv7?-~Fv7`ODWF?Rs+T&wS5QFy@Ndv7Cd+E;ucf0`R_xtm%aK{@HEcq{!a# zu|^lGc+H0@2*NgG_RRYRJG*XwzbG!9#?Yswjy2(136|XVwnG=$5F03lf~o9ZBWbtx z*Sa#WcY~aK7l%`6CNbLcrUL1VPf~IVP?I8PsI3KGN!!b%m8k67TkChwj*UwT;n_In-LsS$RVA&CTORsb$p~E+nYrJ%z!^lrvsl% zpZ}4iJ@1eZX*LDO_VxK=oU>6}?EBA1&mZ!jis@l%8+QIuVFDRVXxPGMC^V{f*9=r5 zN17P9P*EDWjoGOVQYk*mQ`}8r3x);+olb;va8{{WH#M6xT3$tN-|TH&e)YCJ_M9lT z<=R>6p9AzV8w|8sKDB*)UX!gPxatoVg@9o20U^e zb@DtjegTyZsdq!R9A|EwPPgr~bs9H0j2)eyp1M&M&dy#Z8nFX-7mVTQlK-%2L>}59 zypeIP5puygWT%u2=(`-&$oSUt7+dEtsTJuuPe zfSuz#JmXarRH#ePf5=Wed?^q5`V6E}9DM(b!NEkl zem&FgY^-`xPL%@`nksf{tp`z`;yXzC#nNg(M zuo9L!+QMoMQiRm`Yshg8S-eD!FfnjGS#`3rsQ8mE7v?%LhM+Ot#AWs}oT`&5fUtc{b=8xoIi(oFM9k(Tpf3mTX zI^ec%HmRdcQ-mMqX^yHkV$QSjKSOzJ@hSJ$|1idC@!J?i^66j37o5FQ@(_PO^8@Ek ziTYR=ROVevTUby^&_EXiyH}j=%Kh>xCD@o}nT~f^P2Y4)sA@9iODm|Ubi0YMSJS>Zua;I&Htw$`8+U79VzBX+d|E@dro9D6 z*r9ru zEKVX(i$4P%&8IJj@8J&3__aXlG}TCJuyiU<(aLR6==qDn{Rj9ssxA$St(RT-GDb)T z3^_nHR^-I!wGwDxU$&O-#=u=Dj}#rCMFdSO9e_;3#({y8J3?SLXr&ub-cu$Xi!!-}@hmDyg!( zLvaKjTOl2y3G!fAciS$oXVLx!f6(0`wYE@q~mzQ&=lXq ziD7KYMt)C>fL*#>!=RB#=Z92+8GcLGVNF^IfDhGsPqplNz!f);_Arx8i4Y6*Dx+O$ zUs8Fo=u&W$bDt&A6&ps)56w3Zm8a5+QEM#+RYGmmjk$WN&QgyxLYsB8Q)6K72sDjbn}z>V*T3I#>DQ$8w5|lv1cQ-e z5A*Bcn{lnu2&#Y!W%${HL{q%!VXZhOcQdN^9X?}9#Jx6cGWn&9R#y(+MPV#nz!6%A zW15KR>Tq!`w4|!>Xw&|Rz%Yc^b7;Zx;nBY-+f^(z^0MGb6!zE2k&F!;B+y_bDOe4a z3AR9g-F=WW52aQW1VG#RgZEAizfkr``qB{8LoPzO5?sfKvYFeO%YFoNUH==S)jYsGc*%K}T)Q9RG`*nMmf53E)r$uxS(D)}!L8Xxi#o=- ze>Zee9HP3|b+7KMZK>bf=^Uhb%vY1X{kgLdROyd1O_q_t<#3*oVHYmZzgnBkfNWd8 z2tNKux;*u+`lU5Bb`f?OcJTvU!fgGByA?Yy-D8J$N#1D>dBoV>2@wnFbs|`Ja4Q%V z{7rk}V-QS~Ile7grHp2g`v@xbjDBO%bx{x7vA5AO90mRPx@q{{ByVQX`+s?B1OpTa z1p+;}FA8;+m1oYDok#@CR1FSl9@73k?<0iN2Cw_8Hcy`2G~aOgYp&>E)+YO*q_)!Lj`Szu^d<=DqnA*OdE!%4_JxkiS%I zy-q8XG0N1Bp(9uZjopFw+w%a1c9pc6o56bGc$Ow$iJc=Nr*ebEzPSjWZW`+p}}LV95@mmy%CW=bU^SkjTI z_PZT$ZB!5=D{G~Si_{?vvug1-?AOjgOs8$8?x?4%B zD~R8prKyg0iyKH;+cR9)p3^R#;C-t|uJMAtx@64!DmziKBJcRGH?WMkGjf8^g*I&w zYrK`Ch4@&g)!OeY)SJIG;kI?F`|Fd-(^@jEoB5q4(DAWt(v`RB(k;8t35?GCHz|sA z4q!LyKg(V{Qz|X6UIRCuWxne4eU=@>kL)s33XC0uZ-L+XGum0onDEibEA8Y0}QCQcXjsea~}{@$$&8g z)q50PX+8gQkG#%@aCzmnnIkmcw--!QUMP5tRj_9B;lKtV3o8eQ2bs)E7~?*c_Q`O! zq4xzUS<+LeyNp0--_N7`-Tia0-%2v|**|nYkP4;lx(8Ysh5D1pUTreTe@4+&5TcsQ zv8CCt@;l)y>THMiIgQXJq&?(~AqO@0Gd)$mBXD_Nv22%M-gl2QjR=k#$L#t~ zZ!x`7F!;qw8OR*)%m-9&0iCO-~ie+(MAy+`O|JNkP#La}a z*u=bIlO$JmrcM_xa$9#AvWgl8oSuc?E)M*bi(;jrkVb~`hJWEvQhszyjEGwpwL4on z#y1CS#S0r}sFD{R_rxB4#p~S!hc5&yB|G$7Z3 z#{fm|liq7vuXRl=Zh0z+z~Jgd=`7PXn>|h{&N7P=%woE2J#_A2(kRj z-B%me>^9FwdyoO%);_0pL32A<+ifFf+p{ZJm*Lijcv<+p!na(aU(;1Aw)U3;jwaWi zabLJI+={9}8mKz!yq;8jn<|n;1%{FALHrnd&?i1|ppT1O-$YP{az#+{htvSfPBp+P z69?ePz!6I9rhvWbrbvWZ054@MfPES;AamjW2W%4cBS!_1TaBom@{)T9)X|)}*T@xD z;Q0(WfU%^!&m(CvGt&*ah}#Yif$zYnd&$IPHNK!m91vthA#>$i%n+Jk;(%vua}(ly zT(Gc|P7LgWx^!FaoE3S?>mexFg33i&s2W|-4ayn(oG1`haHj|q7r9Qm)Apq5XypZG zIb%QQGdGPsV~A<(c=tE^T;y=gX0ULkh*lrctbK8-RIV_?F|=w8YZWwc;qB|InNgBC zSCFj)hTp!v(Xnc+rv?gopZ0d%8^Gci4!{0q6*#Wtlq`8U4dR-qeRuXv_U+bK>(;cQ0rT#CDSIW{9@aI66ogFr{Ob13jbprIXj5Mp%?Zf{c D)kGR@ diff --git a/mkdocs.yml b/mkdocs.yml index 518e0872a..298ab5976 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -5,7 +5,10 @@ repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ remote_branch: gh-pages -theme: material +theme: + name: material + logo: images/logo.svg + favicon: images/favicon.png markdown_extensions: - codehilite: guess_lang: true @@ -74,7 +77,7 @@ nav: - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': - - 'Custom transport maps': 'u_e-postfix-custom_transport.md' + - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' @@ -93,7 +96,7 @@ nav: - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' - 'Public folders': 'u_e-dovecot-public_folder.md' - 'Static master user': 'u_e-dovecot-static_master.md' - - 'Nginx': + - 'Nginx': - 'Custom sites': 'u_e-nginx.md' - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Redis': 'u_e-redis.md' @@ -128,8 +131,6 @@ nav: - 'Portainer': 'third_party-portainer.md' - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' -icon: - logo: "images/logo.svg" extra: palette: primary: "indigo" From 2fd7244b8dfcaa39c8baebd5eabbf06553ef8ba7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 13 Aug 2021 21:55:51 +0200 Subject: [PATCH 167/288] Update firststeps-disable_ipv6.md --- docs/firststeps-disable_ipv6.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/firststeps-disable_ipv6.md b/docs/firststeps-disable_ipv6.md index f522d4d05..3f3480e44 100644 --- a/docs/firststeps-disable_ipv6.md +++ b/docs/firststeps-disable_ipv6.md @@ -38,6 +38,7 @@ version: '2.1' services: ipv6nat-mailcow: + image: bash:latest restart: "no" entrypoint: ["echo", "ipv6nat disabled in compose.override.yml"] ``` From 4696fd35a1664e7f3211ca7a2b6f0974e79164f8 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 15 Aug 2021 18:28:46 +0200 Subject: [PATCH 168/288] [GH-Actions][pages] Update mkdocs-material to 7.2.4 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b5e0a3906..f0c955720 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 270b3dff1..6de2c3fdd 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.3 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8e294db53d4138511c30288fdbd91dbd647ad5a8 Mon Sep 17 00:00:00 2001 From: Peter Date: Sun, 15 Aug 2021 18:29:45 +0200 Subject: [PATCH 169/288] [GH-Actions][pages] Update pygments to 2.10.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index f0c955720..665857ee6 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 6de2c3fdd..7ac967bd9 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.4 pygments==2.9.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From be11df7facc55c8aab23e454ee83ab5be19b9ffb Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 16 Aug 2021 12:37:30 +0200 Subject: [PATCH 170/288] Add info about automatic backups --- docs/b_n_r_accidental_deletion.md | 40 +++++++++++++++++++++++++++++++ mkdocs.yml | 2 ++ 2 files changed, 42 insertions(+) create mode 100644 docs/b_n_r_accidental_deletion.md diff --git a/docs/b_n_r_accidental_deletion.md b/docs/b_n_r_accidental_deletion.md new file mode 100644 index 000000000..43b731f21 --- /dev/null +++ b/docs/b_n_r_accidental_deletion.md @@ -0,0 +1,40 @@ +So you deleted a mailbox and have no backups, he? + +If you noticed your mistake within a few hours, you can probably recover the users data. + +### SOGo + +We automatically create daily backups (24h interval starting from running up -d) in `/var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the file named after the user you want to restore to `__MAILCOW_DIRECTORY__/data/conf/sogo`. + +1\. Copy the backup: `cp /var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/restoreme@example.org __MAILCOW_DIRECTORY__/data/conf/sogo` + +2\. Run `docker-compose exec -u sogo sogo-mailcow sogo-tool restore -F ALL /etc/sogo restoreme@example.org` + +Run `sogo-tool` without parameters to check for possible restore options. + +3\. Delete the copied backup by running `rm __MAILCOW_DIRECTORY__/data/conf/sogo` + +4\. Restart SOGo and Memcached: `docker-compose restart sogo-mailcow memcached-mailcow` + +### Mail + +In case of an accidental deletion of a mailbox, you will be able to recover for (by default) 5 days. This depends on the `MAILDIR_GC_TIME` parameter in `mailcow.conf`. + +A deleted mailbox is copied in its encrypted form to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage`. + +The folder inside _garbage follows the structure `[timestamp]_[domain_sanitized][user_sanitized]`, for example `1629109708_exampleorgtest in case of test@example.org deleted on 1629109708. + +To restore make sure you are actually restoring to the same mailcow it was deleted from or you use the same encryption keys in `crypt-vol-1`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the folders from `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage/[timestamp]_[domain_sanitized][user_sanitized]` back to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/[domain]/[user]` and resync the folder and recalc the quota: + +``` +docker-compose exec dovecot-mailcow doveadm force-resync -u restoreme@example.net '*' +docker-compose exec dovecot-mailcow doveadm quota recalc -u restoreme@example.net +``` diff --git a/mkdocs.yml b/mkdocs.yml index 65a3b113a..045cec693 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -62,6 +62,8 @@ nav: - 'Manually': - 'Maildir': 'u_e-backup_restore-maildir.md' - 'MySQL': 'u_e-backup_restore-mysql.md' + - 'Automatic backups' + - 'Recover accidentally deleted data': 'b_n_r_accidental_deletion.md' - 'Manual/Guides/Examples': - 'mailcow UI': - 'Configuration': 'u_e-mailcow_ui-config.md' From d77dd97c90d200e3cf783945a5198fe398cc4ea8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 20 Aug 2021 08:38:51 +0200 Subject: [PATCH 171/288] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index bde36cfb8..ec2c4e13e 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -1,10 +1,10 @@ -Download Roundcube 1.4.x to the web htdocs directory and extract it (here `rc/`): +Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`): ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.4.11/roundcubemail-1.4.11-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5-rc/roundcubemail-1.5-rc-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.4.11 rc +mv roundcubemail-1.5-rc rc # Change permissions chown -R root: rc/ ``` From 5689d70d1ac0c84d704d35694ae9f9dd737b7b56 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 23 Aug 2021 08:12:36 +0200 Subject: [PATCH 172/288] Update i_u_m_install.md --- docs/i_u_m_install.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 764f462cc..cd9469a30 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,8 +1,3 @@ -!!! warning - Make sure you've read ["Prepare Your System"](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-system) before proceeding! - **We do not recommend** CentOS 8 anymore. - - You need Docker (a version >= `20.10.2` is required) and Docker Compose. **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). From 4484abe4e79a2314d4861406bd486376844bb580 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 23 Aug 2021 08:12:59 +0200 Subject: [PATCH 173/288] Update prerequisite-system.md --- docs/prerequisite-system.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 6c5df19f3..4880abe48 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -2,7 +2,6 @@ Before you run **mailcow: dockerized**, there are a few requirements that you sh !!! warning Do **not** try to install mailcow on a Synology/QNAP device (any NAS), OpenVZ, LXC or other container platforms. KVM, ESX, Hyper-V and other full virtualization platforms are supported. - We **do not** recommend to use CentOS 8 anymore! !!! info - mailcow: dockerized requires [some ports](#default-ports) to be open for incoming connections, so make sure that your firewall is not blocking these. From 3a0c2ec180486518022bbaba45397d04b43d4da0 Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 25 Aug 2021 19:45:06 +0200 Subject: [PATCH 174/288] [GH-Actions][pages] Update mkdocs-material to 7.2.5 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 665857ee6..4a105179e 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 7ac967bd9..434fa7178 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.4 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From b50c8e046aa1c6c51098d8c36e5e84056f09db59 Mon Sep 17 00:00:00 2001 From: Riccardo Bessone Date: Thu, 26 Aug 2021 08:56:39 +0200 Subject: [PATCH 175/288] Update CardDAv for Roundcube Update CardDav for Roundcube to the latest version for compatibility with PHP 8 --- docs/third_party-roundcube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index ec2c4e13e..0042a2bea 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -105,7 +105,7 @@ $config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = % Download the latest release of [RCMCardDAV](https://github.com/blind-coder/rcmcarddav/) to the Roundcube plugin directory and extract it (here `rc/plugins`): ``` cd data/web/rc/plugins -wget -O - https://github.com/blind-coder/rcmcarddav/releases/download/v3.0.3/carddav-3.0.3.tar.bz2 | tar xfvj - +wget -O - https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz | tar xfvz - chown -R root: carddav/ ``` From 123e49285cf56989e94e49df0264d609e1fdf4e4 Mon Sep 17 00:00:00 2001 From: Riccardo Bessone Date: Thu, 26 Aug 2021 17:38:14 +0200 Subject: [PATCH 176/288] Update CardDAV repository URL Repository URL changed due to namespace change --- docs/third_party-roundcube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 0042a2bea..877c4273a 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -102,7 +102,7 @@ $config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = % ### Integrate CardDAV addressbooks in Roundcube -Download the latest release of [RCMCardDAV](https://github.com/blind-coder/rcmcarddav/) to the Roundcube plugin directory and extract it (here `rc/plugins`): +Download the latest release of [RCMCardDAV](https://github.com/mstilkerich/rcmcarddav) to the Roundcube plugin directory and extract it (here `rc/plugins`): ``` cd data/web/rc/plugins wget -O - https://github.com/mstilkerich/rcmcarddav/releases/download/v4.1.2/carddav-v4.1.2.tar.gz | tar xfvz - From 175b1e9e8f492d571489d60bac7cd303dba07816 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 26 Aug 2021 23:08:10 +0200 Subject: [PATCH 177/288] [GH-Actions][pages] Update github-pages-deploy-action to 4.1.5 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4a105179e..60ee15abf 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -21,7 +21,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.4 + uses: JamesIves/github-pages-deploy-action@4.1.5 with: branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 7c953ae4aa1c75dc9dceee820b8fa94061f323a1 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 28 Aug 2021 16:26:19 +0300 Subject: [PATCH 178/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 87 +++++++++++++++++------------- 1 file changed, 51 insertions(+), 36 deletions(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index ad1336ab7..5a78ddec0 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -1,62 +1,77 @@ DMARC Reporting done via Rspamd DMARC Module. -Offical configuration options and documentation can be found here: https://rspamd.com/doc/modules/dmarc.html +Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html **Important:** -1. Before use config examples from this document please adjust them, change `example.com` and `Example` to your actual data +1. Before use examples bellow, change `example.com`, `mail.example.com` and `Example` to your actual data 2. DMARC reporting require additional attention, especially at first days 3. Your reports for all server will be send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, f.e: - if your `MAILCOW_HOSTNAME=mail.example.com` then Reporting `domain = "example.com";` - set `email` from same domain also, `email = "noreply-dmarc@example.com";` -4. This optional, but recomended step: create `noreply-dmarc` email user in mailcow to handle bounces. +4. This optional, but recommended step: create `noreply-dmarc` email user in mailcow to handle bounces. - Go to mailcow admin UI → Configuration → Mail Setup → Mailboxes → Add mailbox → Create mailbox `noreply-dmarc`, please choose correct domain - In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, f.e: `noreply` and add action: Discard the message and save filter - In case you plan to resend a copy of reports to yourself: you need add condition to previous filter example `From is not noreply-dmarc@example.com` -## Enable DMARC Reports +## Enable DMARC Reporting 1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to: ``` -reporting = true; -send_reports = true; -report_settings { - org_name = "Example"; - domain = "example.com"; - email = "noreply-dmarc@example.com"; - from_name = "Example DMARC Report"; - smtp = "postfix"; +reporting { + enabled = true; + email = 'noreply-dmarc@example.com'; + domain = 'example.com'; + org_name = 'Example'; + helo = 'rspamd'; + smtp = 'postfix'; smtp_port = 25; - helo = "rspamd"; - retries = 3; - hscan_count = 1500 + from_name = 'Example DMARC Report'; + msgid_from = 'rspamd.mail.example.com'; + max_entries = 2k; + keys_expire = 2d; } ``` -2. Create required `dmarc_reports_last_sent` file: -`docker-compose exec rspamd-mailcow bash -c "touch /var/lib/rspamd/dmarc_reports_last_sent; chown 101:101 /var/lib/rspamd/dmarc_reports_last_sent; chmod 644 /var/lib/rspamd/dmarc_reports_last_sent"` -3. Restart rspamd container: -`docker-compose restart rspamd-mailcow` +2. Create `docker-compose.override.yml` or merge with your existing one: +``` +version: '2.1' -## Disable DMARC Reports -To disable reporting set `send_reports` to `false` and restart rspamd container +services: + rspamd-mailcow: + environment: + - MASTER=${MASTER:-y} + labels: + ofelia.enabled: "true" + ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h" + ofelia.job-exec.rspamd_dmarc_reporting.command: "/bin/bash -c \"[[ $${MASTER} == y ]] && /usr/bin/rspamadm dmarc_report > /var/lib/rspamd/dmarc_reports_last_log 2>&1 || exit 0\"" + ofelia-mailcow: + depends_on: + - rspamd-mailcow +``` +3. Run `docker-compose up -d` ## Send a copy reports to yourself -To get copy of own generated reports you can add `additional_address = "noreply-dmarc@pnnsoft.com";` in `report_settings` section. +To recieve a hidden copy of reports generated by Rspamd you can set a list of comma-separated emails via `bcc_addrs = ["noreply-dmarc@example.com","parsedmarc@example.com"];` in `reporting` section. + +Rspamd will load changes in runtime, no need to restart it. + This useful in case: - you want to check that your DMARC Reports send correctly, e.g.: check that they signed by DKIM, etc. - you want to analyze own reports to get statics data, f.e: use with ParseDMARC or other analytic system -**Important:** +## Troubleshooting +You can check: +1. Run `docker-compose exec rspamd-mailcow ls -lah /var/lib/rspamd/dmarc_reports_last_log` to check when file was been modified last time +2. Do `docker-compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log` to check last report output +3. Manually trigger sending of DMARC reports via `rspamd-mailcow rspamadm dmarc_report` and check the output +4. Validate that Rspamd has recorded data in Redis via `docker-compose exec redis-mailcow redis-cli KEYS 'dmarc;*'` and then run `docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;date"` -Future `additional_address_bcc` is broken, lead to not sending reports to `additional_address` even while it `false`. -Do not add this option to `dmarc.conf` till bug https://github.com/rspamd/rspamd/issues/3465 will be resolved and fixed version will be used in mailcow. +## Change DMARC Reporting Frequency +In the example above reports are send once a 24 hours. To change this behaviour: +1. Adjust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to desired value in `docker-compose.override.yml` +2. Run `docker-compose up -d` +3. Run `docker-compose restart ofelia-mailcow` -## DMARC Force actions -This module also allows to enable force actions based on sender DMARC policy to reject or quarantine emails which has failed policy. -This good from security point, but it can lead of rejecting of forwarded email and not allow whitelist broken senders. Better **avoid** using this option. - -If you still want to enable it, add to end of `data/conf/rspamd/local.d/dmarc.conf`: -``` -actions { - quarantine = "add_header"; - reject = "reject"; -} -``` +## Disable DMARC Reporting +To disable reporting: +1. Set `enabled` to `false` in `data/conf/rspamd/local.d/dmarc.conf` +2. Revert changes done to `docker-compose.override.yml` +3. Run `docker-compose up -d` From 8ceb2764959e1f00886c6116f2d2a052249cecc2 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 28 Aug 2021 19:23:49 +0300 Subject: [PATCH 179/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 58 +++++++++++++++++++++--------- 1 file changed, 41 insertions(+), 17 deletions(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index 5a78ddec0..7c78c201a 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -3,18 +3,18 @@ DMARC Reporting done via Rspamd DMARC Module. Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html **Important:** -1. Before use examples bellow, change `example.com`, `mail.example.com` and `Example` to your actual data -2. DMARC reporting require additional attention, especially at first days -3. Your reports for all server will be send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, f.e: - - if your `MAILCOW_HOSTNAME=mail.example.com` then Reporting `domain = "example.com";` - - set `email` from same domain also, `email = "noreply-dmarc@example.com";` +1. Before you use the examples below, change `example.com`, `mail.example.com` and `Example` to reflect your setup +2. DMARC reporting requires additional attention, especially over the first few days +3. All receiving domains hosted on mailcow send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, for example: + - if your `MAILCOW_HOSTNAME=mail.example.com` then change your reporting config to match `domain = "example.com";` + - set `email` from the same domain also, `email = "noreply-dmarc@example.com";` 4. This optional, but recommended step: create `noreply-dmarc` email user in mailcow to handle bounces. - Go to mailcow admin UI → Configuration → Mail Setup → Mailboxes → Add mailbox → Create mailbox `noreply-dmarc`, please choose correct domain - - In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, f.e: `noreply` and add action: Discard the message and save filter - - In case you plan to resend a copy of reports to yourself: you need add condition to previous filter example `From is not noreply-dmarc@example.com` + - In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, enter `noreply` and add action: Discard the message and save filter + - In case you plan to resend a copy of reports to yourself, you need to add a condition to previous filter example `From is not noreply-dmarc@example.com` ## Enable DMARC Reporting -1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set content to: +1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set contents to: ``` reporting { enabled = true; @@ -49,20 +49,44 @@ services: 3. Run `docker-compose up -d` ## Send a copy reports to yourself -To recieve a hidden copy of reports generated by Rspamd you can set a list of comma-separated emails via `bcc_addrs = ["noreply-dmarc@example.com","parsedmarc@example.com"];` in `reporting` section. +To receive a hidden copy of reports generated by Rspamd you can set a `bcc_addrs` list in `reporting` section. -Rspamd will load changes in runtime, no need to restart it. +``` +reporting { + enabled = true; + email = 'noreply-dmarc@example.com'; + bcc_addrs = ["noreply-dmarc@example.com","parsedmarc@example.com"]; +... +``` + +Rspamd will load changes in real time, no need to restart it. This useful in case: -- you want to check that your DMARC Reports send correctly, e.g.: check that they signed by DKIM, etc. -- you want to analyze own reports to get statics data, f.e: use with ParseDMARC or other analytic system +- you want to check that your DMARC Reports send correctly, check that they signed by DKIM, etc. +- you want to analyze own reports to get statics data, for example use with ParseDMARC or other analytic system ## Troubleshooting -You can check: -1. Run `docker-compose exec rspamd-mailcow ls -lah /var/lib/rspamd/dmarc_reports_last_log` to check when file was been modified last time -2. Do `docker-compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log` to check last report output -3. Manually trigger sending of DMARC reports via `rspamd-mailcow rspamadm dmarc_report` and check the output -4. Validate that Rspamd has recorded data in Redis via `docker-compose exec redis-mailcow redis-cli KEYS 'dmarc;*'` and then run `docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;date"` + +Check when the report schedule last ran +``` +docker-compose exec rspamd-mailcow date -r /var/lib/rspamd/dmarc_reports_last_log +``` + +See last report output +``` +docker-compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log +``` + +Manually Trigger DMARC report +``` +docker-compose exec rspamd-mailcow rspamadm dmarc_report +``` + +Validate that Rspamd has recorded data in Redis +``` +docker-compose exec redis-mailcow redis-cli KEYS 'dmarc;*' +docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;20211231" +``` ## Change DMARC Reporting Frequency In the example above reports are send once a 24 hours. To change this behaviour: From bdd0aa86e571803cd6bb0d8f64049db23d6033f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 30 Aug 2021 07:48:10 +0200 Subject: [PATCH 180/288] Update u_e-postfix-attachment_size.md --- docs/u_e-postfix-attachment_size.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-postfix-attachment_size.md b/docs/u_e-postfix-attachment_size.md index e6ddb6174..079dda29e 100644 --- a/docs/u_e-postfix-attachment_size.md +++ b/docs/u_e-postfix-attachment_size.md @@ -1,4 +1,4 @@ -Open `data/conf/postfix/main.cf` and set the `message_size_limit` accordingly in bytes. +Open `data/conf/postfix/extra.cf` and set the `message_size_limit` accordingly in bytes. Restart Postfix: From 2c4764990dde9f6999fcfed90f97df4fb98fc758 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 30 Aug 2021 07:48:27 +0200 Subject: [PATCH 181/288] Update u_e-postfix-attachment_size.md --- docs/u_e-postfix-attachment_size.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-postfix-attachment_size.md b/docs/u_e-postfix-attachment_size.md index 079dda29e..3c37a6aba 100644 --- a/docs/u_e-postfix-attachment_size.md +++ b/docs/u_e-postfix-attachment_size.md @@ -1,4 +1,4 @@ -Open `data/conf/postfix/extra.cf` and set the `message_size_limit` accordingly in bytes. +Open `data/conf/postfix/extra.cf` and set the `message_size_limit` accordingly in bytes. Siee `main.cf` for the default value. Restart Postfix: From 1a5eab3c21da18169099244d82fe0e867f631428 Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 1 Sep 2021 20:47:18 +0200 Subject: [PATCH 182/288] Update u_e-postfix-attachment_size.md --- docs/u_e-postfix-attachment_size.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-postfix-attachment_size.md b/docs/u_e-postfix-attachment_size.md index 3c37a6aba..1c15ac3ea 100644 --- a/docs/u_e-postfix-attachment_size.md +++ b/docs/u_e-postfix-attachment_size.md @@ -1,4 +1,4 @@ -Open `data/conf/postfix/extra.cf` and set the `message_size_limit` accordingly in bytes. Siee `main.cf` for the default value. +Open `data/conf/postfix/extra.cf` and set the `message_size_limit` accordingly in bytes. See `main.cf` for the default value. Restart Postfix: From dfa70f435ebeb4b2c7c9521687bd8c2da5f86533 Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 2 Sep 2021 12:45:59 +0200 Subject: [PATCH 183/288] add rspamd asan debugging --- docs/debug-asan_rspamd.md | 27 +++++++++++++++++++++++++++ docs/debug-reset_tls.md | 17 +++++++++++++++++ mkdocs.yml | 3 ++- 3 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 docs/debug-asan_rspamd.md create mode 100644 docs/debug-reset_tls.md diff --git a/docs/debug-asan_rspamd.md b/docs/debug-asan_rspamd.md new file mode 100644 index 000000000..6ef6673d2 --- /dev/null +++ b/docs/debug-asan_rspamd.md @@ -0,0 +1,27 @@ +A quick guide to deeply a malfunctioning Rspamd. + +``` +docker-compose exec rspamd-mailcow bash + +if ! grep -qi 'apt-stable-asan' /etc/apt/sources.list.d/rspamd.list; then + sed -i 's/apt-stable/apt-stable-asan/i' /etc/apt/sources.list.d/rspamd.list +fi + +apt-get update ; apt-get upgrade rspamd + +nano /docker-entrypoint.sh + +# Before "exec "$@"" add the following lines: + +export G_SLICE=always-malloc +export ASAN_OPTIONS=new_delete_type_mismatch=0:detect_leaks=1:detect_odr_violation=0:log_path=/tmp/rspamd-asan:quarantine_size_mb=2048:malloc_context_size=8:fast_unwind_on_malloc=0 + +``` + +Restart Rspamd: `docker-compose restart rspamd-mailcow` + +Your memory consumption will increase by a lot, it will also steadily grow, which is not related to a possible memory leak you are looking for. + +Leave the container running for a few minutes, hours or days (it should match the time you usually wait for the leak to "happen") and restart it: `docker-compose restart rspamd-mailcow`. + +Now enter the container by running `docker-compose exec rspamd-mailcow bash`, change the directory to /tmp and copy the asan Files to your desired location or upload them via termbin.com (`cat /tmp/rspamd-asan.* | nc termbin.com 9999`). diff --git a/docs/debug-reset_tls.md b/docs/debug-reset_tls.md new file mode 100644 index 000000000..b2584e0f4 --- /dev/null +++ b/docs/debug-reset_tls.md @@ -0,0 +1,17 @@ +In case you encounter problems with your certificate, key or Let's Encrypt account, please try to reset the TLS assets: + +``` +source mailcow.conf +docker-compose down +rm -rf data/assets/ssl +mkdir data/assets/ssl +openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes +cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ +docker-compose up -d +``` + +This will stop mailcow, source the variables we need, create a self-signed certificate and start mailcow. + +If you use Let's Encrypt you should be careful as you will create a new account and a new set of certificates. You will run into a ratelimit sooner or later. + +Please also note that previous TLSA records will be invalid. diff --git a/mkdocs.yml b/mkdocs.yml index 0f209a0bf..6e91ac88b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -57,7 +57,8 @@ nav: - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' - - 'Reset TLS certificates': 'debug-reset-tls.md' + - 'Reset TLS certificates': 'debug-reset_tls.md' + - 'Advanced: Find memory leaks in Rspamd': 'debug-asan_rspamd.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' From db18fa013bfeaba57b5385f679453f8d9799abbd Mon Sep 17 00:00:00 2001 From: andryyy Date: Thu, 2 Sep 2021 12:46:20 +0200 Subject: [PATCH 184/288] remove old file --- docs/debug-reset-tls.md | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 docs/debug-reset-tls.md diff --git a/docs/debug-reset-tls.md b/docs/debug-reset-tls.md deleted file mode 100644 index b2584e0f4..000000000 --- a/docs/debug-reset-tls.md +++ /dev/null @@ -1,17 +0,0 @@ -In case you encounter problems with your certificate, key or Let's Encrypt account, please try to reset the TLS assets: - -``` -source mailcow.conf -docker-compose down -rm -rf data/assets/ssl -mkdir data/assets/ssl -openssl req -x509 -newkey rsa:4096 -keyout data/assets/ssl-example/key.pem -out data/assets/ssl-example/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Willich/O=mailcow/OU=mailcow/CN=${MAILCOW_HOSTNAME}" -sha256 -nodes -cp -n -d data/assets/ssl-example/*.pem data/assets/ssl/ -docker-compose up -d -``` - -This will stop mailcow, source the variables we need, create a self-signed certificate and start mailcow. - -If you use Let's Encrypt you should be careful as you will create a new account and a new set of certificates. You will run into a ratelimit sooner or later. - -Please also note that previous TLSA records will be invalid. From 07c094035d6f1fcf7dccb45df371ca392b5a0fac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 2 Sep 2021 19:28:01 +0200 Subject: [PATCH 185/288] Update debug-asan_rspamd.md --- docs/debug-asan_rspamd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-asan_rspamd.md b/docs/debug-asan_rspamd.md index 6ef6673d2..73fb7918c 100644 --- a/docs/debug-asan_rspamd.md +++ b/docs/debug-asan_rspamd.md @@ -1,4 +1,4 @@ -A quick guide to deeply a malfunctioning Rspamd. +A quick guide to deeply analyze a malfunctioning Rspamd. ``` docker-compose exec rspamd-mailcow bash From 60a30dd944d5084660ab059563037a3680cccc35 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 2 Sep 2021 19:51:23 +0200 Subject: [PATCH 186/288] [GH-Actions][pages] Update mkdocs-material to 7.2.6 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 60ee15abf..b1b1a2eb8 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.6 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 434fa7178..09c0045cd 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.5 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.6 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 3f6e6f0058b3819fd0a55c9e5d0964df773e67e3 Mon Sep 17 00:00:00 2001 From: FingerlessGloves Date: Mon, 6 Sep 2021 14:27:17 +0100 Subject: [PATCH 187/288] Add steps to enable local spell checking Add steps to enable local spell checking, currently it uses spell.roundcube.net, which has been discontinued (due to funding), but as a self hosted service, most people would want spell checking to happen on their own servers not someone else's. I wasn't aware it was doing this until the service got discontinued. --- docs/third_party-roundcube.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 877c4273a..665c8ae2a 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -9,6 +9,13 @@ mv roundcubemail-1.5-rc rc chown -R root: rc/ ``` +Create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. +``` +#!/bin/bash +apk update +apk add aspell-en +``` + Create a file `data/web/rc/config/config.inc.php` with the following content. **Change the `des_key` parameter to a random value.** It is used to temporarily store your IMAP password. The "db_prefix" is optional but recommended. @@ -36,6 +43,7 @@ $config['plugins'] = array( 'archive', 'managesieve' ); +$config['spellcheck_engine'] = 'pspell'; $config['mime_types'] = '/tmp/mime.types'; $config['imap_conn_options'] = array( 'ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true) From 9105da403b41bce086233f16474baac2cc47143f Mon Sep 17 00:00:00 2001 From: andryyy Date: Wed, 8 Sep 2021 11:40:38 +0200 Subject: [PATCH 188/288] Move Postfix related post tasks to Postfix section --- docs/u_e-dovecot-catchall_vacation.md | 4 ++++ docs/{firststeps-relayhost.md => u_e-postfix-relayhost.md} | 0 ...teps-trust_networks.md => u_e-postfix-trust_networks.md} | 0 mkdocs.yml | 6 +++--- 4 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 docs/u_e-dovecot-catchall_vacation.md rename docs/{firststeps-relayhost.md => u_e-postfix-relayhost.md} (100%) rename docs/{firststeps-trust_networks.md => u_e-postfix-trust_networks.md} (100%) diff --git a/docs/u_e-dovecot-catchall_vacation.md b/docs/u_e-dovecot-catchall_vacation.md new file mode 100644 index 000000000..4cc3bbb89 --- /dev/null +++ b/docs/u_e-dovecot-catchall_vacation.md @@ -0,0 +1,4 @@ +The Dovecot parameter `sieve_vacation_dont_check_recipient` - which was by default set to `yes` in mailcow configurations pre 21st July - allows for vacation replies even when a mail is sent to non-existent mailboxes like a catch-all addresses. + +We decided to switch this parameter back to `no` and allow a user to specify which recipient address triggers a vacation reply. The triggering recipients can also be configured in SOGos autoresponder feature. + diff --git a/docs/firststeps-relayhost.md b/docs/u_e-postfix-relayhost.md similarity index 100% rename from docs/firststeps-relayhost.md rename to docs/u_e-postfix-relayhost.md diff --git a/docs/firststeps-trust_networks.md b/docs/u_e-postfix-trust_networks.md similarity index 100% rename from docs/firststeps-trust_networks.md rename to docs/u_e-postfix-trust_networks.md diff --git a/mkdocs.yml b/mkdocs.yml index 6e91ac88b..aa3351e2d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -38,12 +38,10 @@ nav: - 'IP bindings': 'firststeps-ip_bindings.md' - 'Local MTA on Docker host': 'firststeps-local_mta.md' - 'Logging': 'firststeps-logging.md' - - 'Relayhosts': 'firststeps-relayhost.md' - 'Reverse Proxy': 'firststeps-rp.md' - 'Rspamd UI': 'firststeps-rspamd_ui.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - - 'Add trusted networks': 'firststeps-trust_networks.md' - 'Models': - 'ACL': 'model-acl.md' - 'Password hashing': 'model-passwd.md' @@ -80,12 +78,14 @@ nav: - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': + - 'Add trusted networks': 'u_e-postfix-trust_networks.md' - 'Custom transport maps': 'u_e-postfix-custom_transport.md' - - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - 'Customize/Expand main.cf': 'u_e-postfix-extra_cf.md' - 'Disable Sender Addresses Verification': 'u_e-postfix-disable_sender_verification.md' - 'Max. message size (attachment size)': 'u_e-postfix-attachment_size.md' + - 'Relayhosts': 'u_e-postfix-relayhost.md' - 'Statistics with pflogsumm': 'u_e-postfix-pflogsumm.md' + - 'Whitelist IP in Postscreen': 'u_e-postfix-postscreen_whitelist.md' - 'Unbound': - 'Using an external DNS service': 'u_e-unbound-fwd.md' - 'Dovecot': From 09c407e99caea0df765bc0df9e62a97b761afb24 Mon Sep 17 00:00:00 2001 From: Johnny Moore Date: Wed, 8 Sep 2021 11:00:49 +0100 Subject: [PATCH 189/288] Update u_e-mailcow_ui-tagging.md Include the term 'plus addressing' and the RFC 5233 term 'sub-addressing' to make the information easier to find when searching. --- docs/u_e-mailcow_ui-tagging.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/u_e-mailcow_ui-tagging.md b/docs/u_e-mailcow_ui-tagging.md index f9b3ad3ec..10cd1da96 100644 --- a/docs/u_e-mailcow_ui-tagging.md +++ b/docs/u_e-mailcow_ui-tagging.md @@ -1,6 +1,9 @@ Mailbox users can tag their mail address like in `me+facebook@example.org`. They can control the tag handling in the users **mailcow UI** panel. ![mailcow mail tagging settings](images/mailcow-tagging.png) +*Tagging is also known as 'sub-addressing' (RFC 5233) or 'plus addressing'* + + ### Available Actions 1\. Move this message to a sub folder "facebook" (will be created lower case if not existing) From 3e72d5ffdf40d176290ad128f1204b86abd4d8bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Thu, 9 Sep 2021 13:40:46 +0200 Subject: [PATCH 190/288] Update third_party-roundcube.md --- docs/third_party-roundcube.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 665c8ae2a..615f97163 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -9,11 +9,11 @@ mv roundcubemail-1.5-rc rc chown -R root: rc/ ``` -Create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. +If you need spell check features, create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. ``` #!/bin/bash apk update -apk add aspell-en +apk add aspell-en # or any other language ``` Create a file `data/web/rc/config/config.inc.php` with the following content. From 4f8cf745a6e3f3df3272576715e4e68d5dae9aab Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Thu, 16 Sep 2021 22:41:26 +0300 Subject: [PATCH 191/288] Update info about port checking under Windows --- docs/debug-common_problems.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/debug-common_problems.md b/docs/debug-common_problems.md index dbc5ace30..92686019f 100644 --- a/docs/debug-common_problems.md +++ b/docs/debug-common_problems.md @@ -60,7 +60,7 @@ Docker and iptables-based firewalls sometimes create conflicting rules, so disab If you experience connection problems from home, please check your ISP router's firewall too, some of them block mail traffic on the *SMTP* (587) or *SMTPS* (465) ports. It could also be, that your ISP is blocking the ports for *SUBMISSION* (25). -While Linux users can chose from a variety of tools[^1] to check if a port is open, the Windows user has only the command `telnet host port` available by default (and it has to be activated since Windows Vista). +While Linux users can chose from a variety of tools[^1] to check if a port is open, the Windows user has only the PowerShell command `Test-NetConnection -ComputerName host -Port port` available by default. To enable telnet on a Windows after Vista please check this [guide](https://social.technet.microsoft.com/wiki/contents/articles/910.windows-7-enabling-telnet-client.aspx) or enter the following command in an terminal **with administrator privileges**: From 28c3f0ffe0df4a0ac6d12388ed8b37db213e652e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 18 Sep 2021 17:06:31 +0200 Subject: [PATCH 192/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 64 +++++++++++++++++++----------- 1 file changed, 40 insertions(+), 24 deletions(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index 7c78c201a..263358efb 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -3,18 +3,17 @@ DMARC Reporting done via Rspamd DMARC Module. Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html **Important:** -1. Before you use the examples below, change `example.com`, `mail.example.com` and `Example` to reflect your setup +1. Change `example.com`, `mail.example.com` and `Example` to reflect your setup 2. DMARC reporting requires additional attention, especially over the first few days -3. All receiving domains hosted on mailcow send from one reporting domain. Recommended to use parent domain of your `MAILCOW_HOSTNAME`, for example: - - if your `MAILCOW_HOSTNAME=mail.example.com` then change your reporting config to match `domain = "example.com";` - - set `email` from the same domain also, `email = "noreply-dmarc@example.com";` -4. This optional, but recommended step: create `noreply-dmarc` email user in mailcow to handle bounces. - - Go to mailcow admin UI → Configuration → Mail Setup → Mailboxes → Add mailbox → Create mailbox `noreply-dmarc`, please choose correct domain - - In case you want silently discard bounces: login in SOGo from this account and go to Preferences → Mail → Filters → Create Filter → Add action → Provide name, enter `noreply` and add action: Discard the message and save filter - - In case you plan to resend a copy of reports to yourself, you need to add a condition to previous filter example `From is not noreply-dmarc@example.com` +3. All receiving domains hosted on mailcow send from one reporting domain. It is recommended to use the parent domain of your `MAILCOW_HOSTNAME`: + - If your `MAILCOW_HOSTNAME` is `mail.example.com` change the following config to `domain = "example.com";` + - Set `email` equally, e.g. `email = "noreply-dmarc@example.com";` +4. It is optional but recommended to create an email user `noreply-dmarc` in mailcow to handle bounces. + +## Enable DMARC reporting + +1. Create the file `data/conf/rspamd/local.d/dmarc.conf` and set the following content: -## Enable DMARC Reporting -1. Create or edit file in `data/conf/rspamd/local.d/dmarc.conf` and set contents to: ``` reporting { enabled = true; @@ -30,7 +29,9 @@ reporting { keys_expire = 2d; } ``` -2. Create `docker-compose.override.yml` or merge with your existing one: + +2. Create or modify `docker-compose.override.yml` in the mailcow-dockerized base directory: + ``` version: '2.1' @@ -46,56 +47,71 @@ services: depends_on: - rspamd-mailcow ``` + 3. Run `docker-compose up -d` ## Send a copy reports to yourself -To receive a hidden copy of reports generated by Rspamd you can set a `bcc_addrs` list in `reporting` section. + +To receive a hidden copy of reports generated by Rspamd you can set a `bcc_addrs` list in the `reporting` config section of `data/conf/rspamd/local.d/dmarc.conf`: ``` reporting { enabled = true; email = 'noreply-dmarc@example.com'; bcc_addrs = ["noreply-dmarc@example.com","parsedmarc@example.com"]; -... +[...] ``` -Rspamd will load changes in real time, no need to restart it. +Rspamd will load changes in real time, so you won't need to restart the container at this point. -This useful in case: -- you want to check that your DMARC Reports send correctly, check that they signed by DKIM, etc. -- you want to analyze own reports to get statics data, for example use with ParseDMARC or other analytic system +This can be useful if you... + +- ...want to check that your DMARC reports are sent correctly and authenticated. +- ...want to analyze your own reports to get statistics, i.e. to use with ParseDMARC or other analytic systems. ## Troubleshooting -Check when the report schedule last ran +Check when the report schedule last ran: + ``` docker-compose exec rspamd-mailcow date -r /var/lib/rspamd/dmarc_reports_last_log ``` -See last report output +See the latest report output: + ``` docker-compose exec rspamd-mailcow cat /var/lib/rspamd/dmarc_reports_last_log ``` -Manually Trigger DMARC report +Manually trigger a DMARC report: + ``` docker-compose exec rspamd-mailcow rspamadm dmarc_report ``` -Validate that Rspamd has recorded data in Redis +Validate that Rspamd has recorded data in Redis: + ``` docker-compose exec redis-mailcow redis-cli KEYS 'dmarc;*' docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;20211231" ``` -## Change DMARC Reporting Frequency -In the example above reports are send once a 24 hours. To change this behaviour: -1. Adjust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to desired value in `docker-compose.override.yml` +## Change DMARC reporting frequency + +In the example above reports are sent once every 24 hours. You may want to change that interval: + +1. Edit `docker-compose.override.yml` and a djust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to a desired value. + 2. Run `docker-compose up -d` + 3. Run `docker-compose restart ofelia-mailcow` ## Disable DMARC Reporting + To disable reporting: + 1. Set `enabled` to `false` in `data/conf/rspamd/local.d/dmarc.conf` + 2. Revert changes done to `docker-compose.override.yml` + 3. Run `docker-compose up -d` From 3421da47be3ffe5f7aeb2e64440e4124d0119257 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Sat, 18 Sep 2021 17:06:52 +0200 Subject: [PATCH 193/288] Update firststeps-dmarc_reporting.md --- docs/firststeps-dmarc_reporting.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index 263358efb..aabfdb229 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -3,11 +3,15 @@ DMARC Reporting done via Rspamd DMARC Module. Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.html **Important:** + 1. Change `example.com`, `mail.example.com` and `Example` to reflect your setup + 2. DMARC reporting requires additional attention, especially over the first few days + 3. All receiving domains hosted on mailcow send from one reporting domain. It is recommended to use the parent domain of your `MAILCOW_HOSTNAME`: - If your `MAILCOW_HOSTNAME` is `mail.example.com` change the following config to `domain = "example.com";` - Set `email` equally, e.g. `email = "noreply-dmarc@example.com";` + 4. It is optional but recommended to create an email user `noreply-dmarc` in mailcow to handle bounces. ## Enable DMARC reporting From cc5f64c772845cf01b77b83707e615c629f073a6 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 20 Sep 2021 17:51:34 +0200 Subject: [PATCH 194/288] [GH-Actions][pages] Update mkdocs-material to 7.2.8 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b1b1a2eb8..651f79502 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.6 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.2.8 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 09c0045cd..cf57ecd78 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.6 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.2.8 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 4a36961848ee3c735471dda07b2d29c8ef4c6849 Mon Sep 17 00:00:00 2001 From: g4rf Date: Thu, 23 Sep 2021 15:05:04 +0200 Subject: [PATCH 195/288] added mailman3 integration to menu --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 3441d2f74..4b1c58db6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -135,6 +135,7 @@ nav: - 'Portainer': 'third_party-portainer.md' - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' + - 'Mailman3': 'third_party-mailman3.md' extra: palette: primary: "indigo" From d2259b05443677042d8cf3dbf74e6ea57f02af66 Mon Sep 17 00:00:00 2001 From: g4rf Date: Thu, 23 Sep 2021 15:15:34 +0200 Subject: [PATCH 196/288] Create third_party-mailman3.md --- docs/third_party-mailman3.md | 322 +++++++++++++++++++++++++++++++++++ 1 file changed, 322 insertions(+) create mode 100644 docs/third_party-mailman3.md diff --git a/docs/third_party-mailman3.md b/docs/third_party-mailman3.md new file mode 100644 index 000000000..652b18d2d --- /dev/null +++ b/docs/third_party-mailman3.md @@ -0,0 +1,322 @@ +# Installing Mailcow and Mailman3 based on dockerized versions + +This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). + +## Introduction + +This guide aims to install and configure [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) with [docker-mailman](https://github.com/maxking/docker-mailman) and to provide some useful scripts. An essential condition is, to preserve *Mailcow* and *Mailman* in their own installations for independent updates. + +There are some guides and projects on the internet, but they are not up to date and/or incomplete in documentation or configuration. This guide is based on the work of: + +- [mailcow-mailman3-dockerized](https://github.com/Shadowghost/mailcow-mailman3-dockerized) by [Shadowghost](https://github.com/Shadowghost) +- [mailman-mailcow-integration](https://gitbucket.pgollor.de/docker/mailman-mailcow-integration) + +After finishing this guide, [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) and [docker-mailman](https://github.com/maxking/docker-mailman) will run and *Apache* as a reverse proxy will serve the web frontends. + +The operating system used is an *Ubuntu 20.04 LTS*. + +## Disclaimer + +I'm not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: **No backup no pity!** + +## Installation + +This guide ist based on different steps: + +1. DNS setup +1. Install *Apache* as a reverse proxy +1. Obtain ssl certificates with *Let's Encrypt* +1. Install *Mailcow* with *Mailman* integration +1. Install *Mailman* +1. 🏃 Run + +### DNS setup + +Most of the configuration ist covered by *Mailcow*s [DNS setup](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-dns/). After finishing this setup add another subdomain for *Mailman*, e.g. `lists.example.org` that points to the same server: + +``` +# Name Type Value +lists IN A 1.2.3.4 +lists IN AAAA dead:beef +``` + +### Install *Apache* as a reverse proxy + +Install *Apache*, e.g. with this guide from *Digital Ocean*: [How To Install the Apache Web Server on Ubuntu 20.04](https://www.digitalocean.com/community/tutorials/how-to-install-the-apache-web-server-on-ubuntu-20-04). + +Activate certain *Apache* modules (as *root* or *sudo*): + +``` +a2enmod rewrite proxy proxy_http headers ssl wsgi proxy_uwsgi http2 +``` + +Maybe you have to install further packages to get these modules. This [PPA](https://launchpad.net/~ondrej/+archive/ubuntu/apache2) by *Ondřej Surý* may help you. + +#### vhost configuration + +Copy the [mailcow.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailcow.conf) and the [mailman.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailman.conf) to the *Apache* conf folder `sites-available` (e.g. under `/etc/apache2/sites-available`). + +Change in `mailcow.conf`: +- `MAILCOW_HOSTNAME` to your **MAILCOW_HOSTNAME** + +Change in `mailman.conf`: +- `MAILMAN_DOMAIN` to your *Mailman* domain (e.g. `lists.example.org`) + +**Don't activate the configuration, as the ssl certificates and directories are missing yet.** + + +### Obtain ssl certificates with *Let's Encrypt* + +Check if your DNS config is available over the internet and points to the right IP addresses, e.g. with [MXToolBox](https://mxtoolbox.com): + +- https://mxtoolbox.com/SuperTool.aspx?action=a%3aMAILCOW_HOSTNAME +- https://mxtoolbox.com/SuperTool.aspx?action=aaaa%3aMAILCOW_HOSTNAME +- https://mxtoolbox.com/SuperTool.aspx?action=a%3aMAILMAN_DOMAIN +- https://mxtoolbox.com/SuperTool.aspx?action=aaaa%3aMAILMAN_DOMAIN + +Install [certbot](https://certbot.eff.org/) (as *root* or *sudo*): + +``` +apt install certbot +``` + +Get the desired certificates (as *root* or *sudo*): + +``` +certbot certonly -d MAILCOW_HOSTNAME +certbot certonly -d MAILMAN_DOMAIN +``` + +### Install *Mailcow* with *Mailman* integration + +#### install Mailcow + +Follow the [Mailcow installation](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_install/). **Omit step 5 and do not pull and up with `docker-compose`!** + +#### configure Mailcow + +This is also **Step 4** in the official *Mailcow installation* (`nano mailcow.conf`). So change to your needs and alter the following variables: + +``` +HTTP_PORT=18080 # don't use 8080 as mailman needs it +HTTP_BIND=127.0.0.1 # +HTTPS_PORT=18443 # you may use 8443 +HTTPS_BIND=127.0.0.1 # + +SKIP_LETS_ENCRYPT=y # reverse proxy will do the ssl termination + +SNAT_TO_SOURCE=1.2.3.4 # change this to your ipv4 +SNAT6_TO_SOURCE=dead:beef # change this to your global ipv6 +``` + +#### add Mailman integration + +Create the file `/opt/mailcow-dockerized/docker-compose.override.yml` (e.g. with `nano`) and add the following lines: + +``` +version: '2.1' + +services: + postfix-mailcow: + volumes: + - /opt/mailman:/opt/mailman + networks: + - docker-mailman_mailman + +networks: + docker-mailman_mailman: + external: true +``` +The additional volume is used by *Mailman* to generate additional config files for *Mailcow postfix*. The external network is build and used by *Mailman*. *Mailcow* needs it to deliver incoming list mails to *Mailman*. +dockerized-mailcow-mailman +Create the file `/opt/mailcow-dockerized/data/conf/postfix/extra.cf` (e.g. with `nano`) and add the following lines: + +``` +# mailman + +recipient_delimiter = + +unknown_local_recipient_reject_code = 550 +owner_request_special = no + +local_recipient_maps = + regexp:/opt/mailman/core/var/data/postfix_lmtp, + proxy:unix:passwd.byname, + $alias_maps +virtual_mailbox_maps = + proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_mailbox_maps.cf, + regexp:/opt/mailman/core/var/data/postfix_lmtp +transport_maps = + pcre:/opt/postfix/conf/custom_transport.pcre, + pcre:/opt/postfix/conf/local_transport, + proxy:mysql:/opt/postfix/conf/sql/mysql_relay_ne.cf, + proxy:mysql:/opt/postfix/conf/sql/mysql_transport_maps.cf, + regexp:/opt/mailman/core/var/data/postfix_lmtp +relay_domains = + proxy:mysql:/opt/postfix/conf/sql/mysql_virtual_relay_domain_maps.cf, + regexp:/opt/mailman/core/var/data/postfix_domains +relay_recipient_maps = + proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf, + regexp:/opt/mailman/core/var/data/postfix_lmtp +``` +As we overwrite *Mailcow postfix* configuration here, this step may break your normal mail transports. Check the [original configuration files](https://github.com/mailcow/mailcow-dockerized/tree/master/data/conf/postfix) if anything changed. + +#### ssl certificates + +As we proxying *Mailcow*, we need to copy the ssl certificates into the *Mailcow* file structure. This task will do the script [renew-ssl.sh](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/scripts/renew-ssl.sh) for us: + +- copy the file to `/opt/mailcow-dockerized` +- change **MAILCOW_HOSTNAME** to your *Mailcow* hostname +- make it executable (`chmod a+x renew-ssl.sh`) +- **do not run it yet, as we first need Mailman** + +You have to create a *cronjob*, so that new certificates will be copied. Execute as *root* or *sudo*: + +``` +crontab -e +``` + +To run the script every day at 5am, add: + +``` +0 5 * * * /opt/mailcow-dockerized/renew-ssl.sh +``` + +### Install *Mailman* + +Basicly follow the instructions at [docker-mailman](https://github.com/maxking/docker-mailman). As they are a lot, here is in a nuthshell what to do: + +As *root* or *sudo*: + +``` +cd /opt +mkdir -p mailman/core +mkdir -p mailman/web +git clone https://github.com/maxking/docker-mailman +cd docker-mailman +``` + +#### configure Mailman + +Create a long key for *Hyperkitty*, e.g. with the linux command `cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo`. Save this key for a moment as HYPERKITTY_KEY. + +Create a long password for the database, e.g. with the linux command `cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo`. Save this password for a moment as DBPASS. + +Create a long key for *Django*, e.g. with the linux command `cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo`. Save this key for a moment as DJANGO_KEY. + +Create the file `/opt/docker-mailman/docker-compose.override.yaml` and replace `HYPERKITTY_KEY`, `DBPASS` and `DJANGO_KEY` with the generated values: + +``` +version: '2' + +services: + mailman-core: + environment: + - DATABASE_URL=postgres://mailman:DBPASS@database/mailmandb + - HYPERKITTY_API_KEY=HYPERKITTY_KEY + - TZ=Europe/Berlin + - MTA=postfix + restart: always + networks: + - mailman + + mailman-web: + environment: + - DATABASE_URL=postgres://mailman:DBPASS@database/mailmandb + - HYPERKITTY_API_KEY=HYPERKITTY_KEY + - TZ=Europe/Berlin + - SECRET_KEY=DJANGO_KEY + - SERVE_FROM_DOMAIN=MAILMAN_DOMAIN # e.g. lists.example.org + - MAILMAN_ADMIN_USER=admin # the admin user + - MAILMAN_ADMIN_EMAIL=admin@example.org # the admin mail address + - UWSGI_STATIC_MAP=/static=/opt/mailman-web-data/static + restart: always + + database: + environment: + - POSTGRES_PASSWORD=DBPASS + restart: always +``` + +At `mailman-web` fill in correct values for `SERVE_FROM_DOMAIN` (e.g. `lists.example.org`), `MAILMAN_ADMIN_USER` and `MAILMAN_ADMIN_EMAIL`. You need the admin credentials to log into the web interface (*Pistorius*). For setting **the password for the first time** use the *Forgot password* function in the web interface. + +About other configuration options read [Mailman-web](https://github.com/maxking/docker-mailman#mailman-web-1) and [Mailman-core](https://github.com/maxking/docker-mailman#mailman-core-1) documentation. + +#### configure Mailman core and Mailman web + +Create the file `/opt/mailman/core/mailman-extra.cfg` with the following content. `mailman@example.org` should be pointing to a valid mail box or redirection. + +``` +[mailman] +default_language: de +site_owner: mailman@example.org +``` + +Create the file `/opt/mailman/web/settings_local.py` with the following content. `mailman@example.org` should be pointing to a valid mail box or redirection. + +``` +# locale +LANGUAGE_CODE = 'de-de' + +# disable social authentication +SOCIALACCOUNT_PROVIDERS = {} + +# change it +DEFAULT_FROM_EMAIL = 'mailman@example.org' + +DEBUG = False +``` +You can change `LANGUAGE_CODE` and `SOCIALACCOUNT_PROVIDERS` to your needs. At the moment `SOCIALACCOUNT_PROVIDERS` has no effect, see [issue #2](https://github.com/g4rf/dockerized-mailcow-mailman/issues/2). + + +### 🏃 Run + +Run (as *root* or *sudo*) + +``` +a2ensite mailcow.conf +a2ensite mailman.conf +systemctl restart apache2 + +cd /opt/docker-mailman +docker-compose pull +docker-compose up -d + +cd /opt/mailcow-dockerized/ +docker-compose pull +./renew-ssl.sh +``` + +**Wait a few minutes!** The containers have to create there databases and config files. This can last up to 1 minute and more. + +## Remarks + +### New lists aren't recognized by postfix instantly + +When you create a new list and try to immediately send an e-mail, *postfix* responses with `User doesn't exist`, because *postfix* won't deliver it to *Mailman* yet. The configuration at `/opt/mailman/core/var/data/postfix_lmtp` is not instantly updated. If you need the list instantly, restart *postifx* manually: + +``` +cd /opt/mailcow-dockerized +docker-compose restart postfix-mailcow +``` + +## Update + +**Mailcow** has it's own update script in `/opt/mailcow-dockerized/update.sh', [see the docs](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_update/). + +For **Mailman** just fetch the newest version from the [github repository](https://github.com/maxking/docker-mailman). + +## Backup + +**Mailcow** has an own backup script. [Read the docs](https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/) for further informations. + +**Mailman** won't state backup instructions in the README.md. In the [gitbucket of pgollor](https://gitbucket.pgollor.de/docker/mailman-mailcow-integration/blob/master/mailman-backup.sh) is a script that may be helpful. + +## ToDo + +### install script + +Write a script like in [mailman-mailcow-integration/mailman-install.sh](https://gitbucket.pgollor.de/docker/mailman-mailcow-integration/blob/master/mailman-install.sh) as many of the steps are automatable. + +1. Ask for all the configuration variables and create passwords and keys. +2. Do a (semi-)automatic installation. +3. Have fun! From 4d65155aec0646500114a97e8e9e2d2a0743d018 Mon Sep 17 00:00:00 2001 From: g4rf Date: Thu, 23 Sep 2021 15:52:03 +0200 Subject: [PATCH 197/288] Added information for issues on original repo --- docs/third_party-mailman3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-mailman3.md b/docs/third_party-mailman3.md index 652b18d2d..a80eaaf70 100644 --- a/docs/third_party-mailman3.md +++ b/docs/third_party-mailman3.md @@ -1,6 +1,6 @@ # Installing Mailcow and Mailman3 based on dockerized versions -This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). +This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). Please post issues, questions and improvements in the [issue tracker](https://github.com/g4rf/dockerized-mailcow-mailman/issues) there. ## Introduction From 450885e28e12af0d0ccc36f7b460dee03410c0a6 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 23 Sep 2021 20:29:44 +0200 Subject: [PATCH 198/288] [GH-Actions][pages] Update mkdocs-material to 7.3.0 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 651f79502..67d9e6a3c 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.2.8 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.0 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index cf57ecd78..bb3292657 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.2.8 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.0 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 05f2b8c5d768a41fa9b805bd13efd0d7fc9cd485 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 23 Sep 2021 20:34:43 +0200 Subject: [PATCH 199/288] Add Back-to-top button --- mkdocs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mkdocs.yml b/mkdocs.yml index 3441d2f74..f48de3054 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -9,6 +9,8 @@ theme: name: material logo: images/logo.svg favicon: images/favicon.png + features: + - navigation.top markdown_extensions: - codehilite: guess_lang: true From 934d94340e5f79ef6164d35170de544263c0535d Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 23 Sep 2021 20:43:38 +0200 Subject: [PATCH 200/288] Add u_e-dovecot-catchall_vacation.md in mkdocs.yml --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index f48de3054..a27447bcc 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -102,6 +102,7 @@ nav: - 'Move Maildir (vmail)': 'u_e-dovecot-vmail-volume.md' - 'Public folders': 'u_e-dovecot-public_folder.md' - 'Static master user': 'u_e-dovecot-static_master.md' + - 'Vacation replies for catchall addresses': 'u_e-dovecot-catchall_vacation.md' - 'Nginx': - 'Custom sites': 'u_e-nginx.md' - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' From a2ab91bf010703576af0af50396639733094906c Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 23 Sep 2021 20:46:38 +0200 Subject: [PATCH 201/288] Some sortings --- mkdocs.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index a27447bcc..10d603780 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -37,12 +37,12 @@ nav: - 'Post Installation Tasks': - 'Advanced SSL': 'firststeps-ssl.md' - 'Disable IPv6': 'firststeps-disable_ipv6.md' + - 'DMARC Reporting': 'firststeps-dmarc_reporting.md' - 'IP bindings': 'firststeps-ip_bindings.md' - 'Local MTA on Docker host': 'firststeps-local_mta.md' - 'Logging': 'firststeps-logging.md' - 'Reverse Proxy': 'firststeps-rp.md' - 'Rspamd UI': 'firststeps-rspamd_ui.md' - - 'DMARC Reporting': 'firststeps-dmarc_reporting.md' - 'SNAT': 'firststeps-snat.md' - 'Sync job migration': 'firststeps-sync_jobs_migration.md' - 'Models': @@ -51,15 +51,15 @@ nav: - 'Sender and receiver model': 'model-sender_rcv.md' - 'General Troubleshooting': - 'Introduction': 'debug.md' - - 'Logs': 'debug-logs.md' + - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Advanced: Find memory leaks in Rspamd': 'debug-asan_rspamd.md' - 'Attach a Container': 'debug-attach_service.md' - - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' + - 'Common Problems': 'debug-common_problems.md' + - 'Logs': 'debug-logs.md' - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' - 'Remove Persistent Data': 'debug-rm_volumes.md' - - 'Common Problems': 'debug-common_problems.md' - - 'Admin login to SOGo': 'debug-admin_login_sogo.md' + - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - 'Reset TLS certificates': 'debug-reset_tls.md' - - 'Advanced: Find memory leaks in Rspamd': 'debug-asan_rspamd.md' - 'Backup & Restore': - 'Helper script': - 'Backup': 'b_n_r_backup.md' @@ -71,13 +71,13 @@ nav: - 'Recover accidentally deleted data': 'b_n_r_accidental_deletion.md' - 'Manual/Guides/Examples': - 'mailcow UI': + - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - 'Configuration': 'u_e-mailcow_ui-config.md' - 'CSS overrides': 'u_e-mailcow_ui-css.md' - - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' - 'Pushover': 'u_e-mailcow_ui-pushover.md' - 'Spamfilter': 'u_e-mailcow_ui-spamfilter.md' - - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - 'Tagging': 'u_e-mailcow_ui-tagging.md' + - 'Temporary email aliases': 'u_e-mailcow_ui-spamalias.md' - 'Two-Factor Authentication': 'u_e-mailcow_ui-tfa.md' - 'WebAuthn / FIDO2': 'u_e-fido2.md' - 'Postfix': @@ -92,9 +92,9 @@ nav: - 'Unbound': - 'Using an external DNS service': 'u_e-unbound-fwd.md' - 'Dovecot': + - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - 'Enable "any" ACL settings': 'u_e-dovecot-any_acl.md' - 'Expunge a Users mails': 'u_e-dovecot-expunge.md' - - 'Customize/Expand dovecot.conf': 'u_e-dovecot-extra_conf.md' - 'FTS (Solr)': 'u_e-dovecot-fts.md' - 'IMAP IDLE interval': 'u_e-dovecot-idle_interval.md' - 'Mail crypt': 'u_e-dovecot-mail-crypt.md' @@ -104,8 +104,8 @@ nav: - 'Static master user': 'u_e-dovecot-static_master.md' - 'Vacation replies for catchall addresses': 'u_e-dovecot-catchall_vacation.md' - 'Nginx': - - 'Custom sites': 'u_e-nginx.md' - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' + - 'Custom sites': 'u_e-nginx.md' - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' From 90ade59264bb905d17911cfc2e76dba8667d03c3 Mon Sep 17 00:00:00 2001 From: Andy Harp Date: Wed, 29 Sep 2021 23:23:46 -0500 Subject: [PATCH 202/288] Update third_party-roundcube.md Changing from "pspell" to "aspell" --- docs/third_party-roundcube.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 615f97163..19f45b9f8 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -43,7 +43,7 @@ $config['plugins'] = array( 'archive', 'managesieve' ); -$config['spellcheck_engine'] = 'pspell'; +$config['spellcheck_engine'] = 'aspell'; $config['mime_types'] = '/tmp/mime.types'; $config['imap_conn_options'] = array( 'ssl' => array('verify_peer' => false, 'verify_peer_name' => false, 'allow_self_signed' => true) From 4889962f9f0c4f5e25299feed2d176d939abcb0b Mon Sep 17 00:00:00 2001 From: qupfer Date: Thu, 30 Sep 2021 15:45:12 +0200 Subject: [PATCH 203/288] add crypt-vol-1 to borgmatic Your borg'ly stored vmail is useless if you lost your encryption keys. --- docs/third_party-borgmatic.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/third_party-borgmatic.md b/docs/third_party-borgmatic.md index 4d9de3d01..6c98dcae1 100644 --- a/docs/third_party-borgmatic.md +++ b/docs/third_party-borgmatic.md @@ -30,6 +30,7 @@ services: dns: ${IPV4_NETWORK:-172.22.1}.254 volumes: - vmail-vol-1:/mnt/source/vmail:ro + - crypt-vol-1:/mnt/source/crypt:ro - mysql-socket-vol-1:/var/run/mysqld/:z - ./data/conf/borgmatic/etc:/etc/borgmatic.d:Z - ./data/conf/borgmatic/state:/root/.config/borg:Z @@ -244,4 +245,4 @@ To fetch the keyfile run: docker-compose exec borgmatic-mailcow borg key export --paper user@rsync.net:mailcow ``` -Where `user@rsync.net:mailcow` is the URI to your repository. \ No newline at end of file +Where `user@rsync.net:mailcow` is the URI to your repository. From 6ffa53c7d917c2132331072cee37f45fe43447e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 1 Oct 2021 08:15:51 +0200 Subject: [PATCH 204/288] Update i_u_m_install.md --- docs/i_u_m_install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index cd9469a30..5812ea376 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,4 +1,4 @@ -You need Docker (a version >= `20.10.2` is required) and Docker Compose. +You need Docker (a version >= `20.10.2` is required) and Docker Compose 1.x. **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). @@ -14,7 +14,7 @@ systemctl enable --now docker - Docker-Compose !!! warning - **mailcow requires the latest version of docker-compose.** It is highly recommended to use the commands below to install `docker-compose`. Package managers (e.g. `apt`, `yum`) **likely won't** give you the latest version. + **mailcow requires the latest version of docker-compose v1.** It is highly recommended to use the commands below to install `docker-compose`. Package managers (e.g. `apt`, `yum`) **likely won't** give you the correct version. _Note: This command downloads docker-compose from the official Docker Github repository and is a safe method. The snippet will determine the latest supported version by mailcow. In almost all cases this is the latest version available (exceptions are broken releases or major changes not yet supported by mailcow)._ ``` From 900ed4209dbbfc44abdb5c99cd393eb05d293a9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 1 Oct 2021 08:16:21 +0200 Subject: [PATCH 205/288] Update i_u_m_install.md --- docs/i_u_m_install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/i_u_m_install.md b/docs/i_u_m_install.md index 5812ea376..e53644938 100644 --- a/docs/i_u_m_install.md +++ b/docs/i_u_m_install.md @@ -1,4 +1,4 @@ -You need Docker (a version >= `20.10.2` is required) and Docker Compose 1.x. +You need Docker (a version >= `20.10.2` is required) and Docker Compose (a version `<= 2.0` is required). **1\.** Learn how to install [Docker](https://docs.docker.com/install/) and [Docker Compose](https://docs.docker.com/compose/install/). From 90b87c6921b1a7fdd8ab0c17f694af474e517b73 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 2 Oct 2021 21:46:05 +0200 Subject: [PATCH 206/288] [GH-Actions][pages] Update mkdocs-material to 7.3.1 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 67d9e6a3c..278b46d52 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -14,7 +14,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.0 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.1 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index bb3292657..faf6ab165 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.0 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.1 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From d60802604f58b3c5adc88691e24e0775e2472329 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 2 Oct 2021 22:01:04 +0200 Subject: [PATCH 207/288] Update a bit third_party-mailman3.md --- docs/third_party-mailman3.md | 81 ++++++++++++++++++------------------ mkdocs.yml | 2 +- 2 files changed, 42 insertions(+), 41 deletions(-) diff --git a/docs/third_party-mailman3.md b/docs/third_party-mailman3.md index a80eaaf70..6674ebe53 100644 --- a/docs/third_party-mailman3.md +++ b/docs/third_party-mailman3.md @@ -1,38 +1,38 @@ -# Installing Mailcow and Mailman3 based on dockerized versions +# Installing mailcow and Mailman 3 based on dockerized versions -This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). Please post issues, questions and improvements in the [issue tracker](https://github.com/g4rf/dockerized-mailcow-mailman/issues) there. +!!! info + This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). Please post issues, questions and improvements in the [issue tracker](https://github.com/g4rf/dockerized-mailcow-mailman/issues) there. + +!!! warning + mailcow is not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: **No backup no pity!** ## Introduction -This guide aims to install and configure [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) with [docker-mailman](https://github.com/maxking/docker-mailman) and to provide some useful scripts. An essential condition is, to preserve *Mailcow* and *Mailman* in their own installations for independent updates. +This guide aims to install and configure [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) with [docker-mailman](https://github.com/maxking/docker-mailman) and to provide some useful scripts. An essential condition is, to preserve *mailcow* and *Mailman* in their own installations for independent updates. There are some guides and projects on the internet, but they are not up to date and/or incomplete in documentation or configuration. This guide is based on the work of: - [mailcow-mailman3-dockerized](https://github.com/Shadowghost/mailcow-mailman3-dockerized) by [Shadowghost](https://github.com/Shadowghost) - [mailman-mailcow-integration](https://gitbucket.pgollor.de/docker/mailman-mailcow-integration) -After finishing this guide, [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) and [docker-mailman](https://github.com/maxking/docker-mailman) will run and *Apache* as a reverse proxy will serve the web frontends. +After finishing this guide, [mailcow-dockerized](https://github.com/mailcow/mailcow-dockerized) and [docker-mailman](https://github.com/maxking/docker-mailman) will run and *Apache* as a reverse proxy will serve the web frontends. The operating system used is an *Ubuntu 20.04 LTS*. -## Disclaimer - -I'm not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: **No backup no pity!** - ## Installation -This guide ist based on different steps: +This guide is based on different steps: 1. DNS setup 1. Install *Apache* as a reverse proxy -1. Obtain ssl certificates with *Let's Encrypt* -1. Install *Mailcow* with *Mailman* integration +1. Obtain SSL certificates with *Let's Encrypt* +1. Install *mailcow* with *Mailman* integration 1. Install *Mailman* 1. 🏃 Run ### DNS setup -Most of the configuration ist covered by *Mailcow*s [DNS setup](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-dns/). After finishing this setup add another subdomain for *Mailman*, e.g. `lists.example.org` that points to the same server: +Most of the configuration is covered by *mailcow*s [DNS setup](https://mailcow.github.io/mailcow-dockerized-docs/prerequisite-dns/). After finishing this setup add another subdomain for *Mailman*, e.g. `lists.example.org` that points to the same server: ``` # Name Type Value @@ -52,9 +52,9 @@ a2enmod rewrite proxy proxy_http headers ssl wsgi proxy_uwsgi http2 Maybe you have to install further packages to get these modules. This [PPA](https://launchpad.net/~ondrej/+archive/ubuntu/apache2) by *Ondřej Surý* may help you. -#### vhost configuration +#### vHost configuration -Copy the [mailcow.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailcow.conf) and the [mailman.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailman.conf) to the *Apache* conf folder `sites-available` (e.g. under `/etc/apache2/sites-available`). +Copy the [mailcow.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailcow.conf) and the [mailman.conf](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/apache/mailman.conf) in the *Apache* conf folder `sites-available` (e.g. under `/etc/apache2/sites-available`). Change in `mailcow.conf`: - `MAILCOW_HOSTNAME` to your **MAILCOW_HOSTNAME** @@ -65,7 +65,7 @@ Change in `mailman.conf`: **Don't activate the configuration, as the ssl certificates and directories are missing yet.** -### Obtain ssl certificates with *Let's Encrypt* +### Obtain SSL certificates with *Let's Encrypt* Check if your DNS config is available over the internet and points to the right IP addresses, e.g. with [MXToolBox](https://mxtoolbox.com): @@ -83,33 +83,33 @@ apt install certbot Get the desired certificates (as *root* or *sudo*): ``` -certbot certonly -d MAILCOW_HOSTNAME +certbot certonly -d mailcow_HOSTNAME certbot certonly -d MAILMAN_DOMAIN ``` -### Install *Mailcow* with *Mailman* integration +### Install *mailcow* with *Mailman* integration -#### install Mailcow +#### Install mailcow -Follow the [Mailcow installation](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_install/). **Omit step 5 and do not pull and up with `docker-compose`!** +Follow the [mailcow installation](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_install/). **Omit step 5 and do not pull and up with `docker-compose`!** -#### configure Mailcow +#### Configure mailcow -This is also **Step 4** in the official *Mailcow installation* (`nano mailcow.conf`). So change to your needs and alter the following variables: +This is also **Step 4** in the official *mailcow installation* (`nano mailcow.conf`). So change to your needs and alter the following variables: ``` HTTP_PORT=18080 # don't use 8080 as mailman needs it -HTTP_BIND=127.0.0.1 # +HTTP_BIND=127.0.0.1 # HTTPS_PORT=18443 # you may use 8443 -HTTPS_BIND=127.0.0.1 # +HTTPS_BIND=127.0.0.1 # -SKIP_LETS_ENCRYPT=y # reverse proxy will do the ssl termination +SKIP_LETS_ENCRYPT=y # reverse proxy will do the SSL termination -SNAT_TO_SOURCE=1.2.3.4 # change this to your ipv4 -SNAT6_TO_SOURCE=dead:beef # change this to your global ipv6 +SNAT_TO_SOURCE=1.2.3.4 # change this to your IPv4 +SNAT6_TO_SOURCE=dead:beef # change this to your global IPv6 ``` -#### add Mailman integration +#### Add Mailman integration Create the file `/opt/mailcow-dockerized/docker-compose.override.yml` (e.g. with `nano`) and add the following lines: @@ -127,8 +127,9 @@ networks: docker-mailman_mailman: external: true ``` -The additional volume is used by *Mailman* to generate additional config files for *Mailcow postfix*. The external network is build and used by *Mailman*. *Mailcow* needs it to deliver incoming list mails to *Mailman*. -dockerized-mailcow-mailman +The additional volume is used by *Mailman* to generate additional config files for *mailcow postfix*. The external network is build and used by *Mailman*. *mailcow* needs it to deliver incoming list mails to *Mailman*. + + Create the file `/opt/mailcow-dockerized/data/conf/postfix/extra.cf` (e.g. with `nano`) and add the following lines: ``` @@ -158,16 +159,16 @@ relay_recipient_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_relay_recipient_maps.cf, regexp:/opt/mailman/core/var/data/postfix_lmtp ``` -As we overwrite *Mailcow postfix* configuration here, this step may break your normal mail transports. Check the [original configuration files](https://github.com/mailcow/mailcow-dockerized/tree/master/data/conf/postfix) if anything changed. +As we overwrite *mailcow postfix* configuration here, this step may break your normal mail transports. Check the [original configuration files](https://github.com/mailcow/mailcow-dockerized/tree/master/data/conf/postfix) if anything changed. -#### ssl certificates +#### SSL certificates -As we proxying *Mailcow*, we need to copy the ssl certificates into the *Mailcow* file structure. This task will do the script [renew-ssl.sh](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/scripts/renew-ssl.sh) for us: +As we proxying *mailcow*, we need to copy the SSL certificates into the *mailcow* file structure. This task will do the script [renew-ssl.sh](https://github.com/g4rf/dockerized-mailcow-mailman/tree/master/scripts/renew-ssl.sh) for us: -- copy the file to `/opt/mailcow-dockerized` -- change **MAILCOW_HOSTNAME** to your *Mailcow* hostname -- make it executable (`chmod a+x renew-ssl.sh`) -- **do not run it yet, as we first need Mailman** +- Copy the file to `/opt/mailcow-dockerized` +- Change **mailcow_HOSTNAME** to your *mailcow* hostname +- Make it executable (`chmod a+x renew-ssl.sh`) +- **Do not run it yet, as we first need Mailman** You have to create a *cronjob*, so that new certificates will be copied. Execute as *root* or *sudo*: @@ -195,7 +196,7 @@ git clone https://github.com/maxking/docker-mailman cd docker-mailman ``` -#### configure Mailman +#### Configure Mailman Create a long key for *Hyperkitty*, e.g. with the linux command `cat /dev/urandom | tr -dc a-zA-Z0-9 | head -c30; echo`. Save this key for a moment as HYPERKITTY_KEY. @@ -241,7 +242,7 @@ At `mailman-web` fill in correct values for `SERVE_FROM_DOMAIN` (e.g. `lists.exa About other configuration options read [Mailman-web](https://github.com/maxking/docker-mailman#mailman-web-1) and [Mailman-core](https://github.com/maxking/docker-mailman#mailman-core-1) documentation. -#### configure Mailman core and Mailman web +#### Configure Mailman core and Mailman web Create the file `/opt/mailman/core/mailman-extra.cfg` with the following content. `mailman@example.org` should be pointing to a valid mail box or redirection. @@ -301,13 +302,13 @@ docker-compose restart postfix-mailcow ## Update -**Mailcow** has it's own update script in `/opt/mailcow-dockerized/update.sh', [see the docs](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_update/). +**mailcow** has it's own update script in `/opt/mailcow-dockerized/update.sh', [see the docs](https://mailcow.github.io/mailcow-dockerized-docs/i_u_m_update/). For **Mailman** just fetch the newest version from the [github repository](https://github.com/maxking/docker-mailman). ## Backup -**Mailcow** has an own backup script. [Read the docs](https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/) for further informations. +**mailcow** has an own backup script. [Read the docs](https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/) for further informations. **Mailman** won't state backup instructions in the README.md. In the [gitbucket of pgollor](https://gitbucket.pgollor.de/docker/mailman-mailcow-integration/blob/master/mailman-backup.sh) is a script that may be helpful. diff --git a/mkdocs.yml b/mkdocs.yml index 85c0c0efe..f6ce954e3 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -133,12 +133,12 @@ nav: - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' - 'Gogs': 'third_party-gogs.md' + - 'Mailman3': 'third_party-mailman3.md' - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - 'Nextcloud': 'third_party-nextcloud.md' - 'Portainer': 'third_party-portainer.md' - 'Roundcube': 'third_party-roundcube.md' - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' - - 'Mailman3': 'third_party-mailman3.md' extra: palette: primary: "indigo" From d3d1f176df62139089eee306ae6d7e7fd9c9a290 Mon Sep 17 00:00:00 2001 From: Peter Date: Sat, 2 Oct 2021 22:03:13 +0200 Subject: [PATCH 208/288] Update a bit third_party-mailman3.md --- docs/third_party-mailman3.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-mailman3.md b/docs/third_party-mailman3.md index 6674ebe53..f264f2f86 100644 --- a/docs/third_party-mailman3.md +++ b/docs/third_party-mailman3.md @@ -4,7 +4,7 @@ This guide is a copy from [dockerized-mailcow-mailman](https://github.com/g4rf/dockerized-mailcow-mailman). Please post issues, questions and improvements in the [issue tracker](https://github.com/g4rf/dockerized-mailcow-mailman/issues) there. !!! warning - mailcow is not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: **No backup no pity!** + mailcow is not responsible for any data loss, hardware damage or broken keyboards. This guide comes without any warranty. Make backups before starting, 'coze: **No backup no pity!** ## Introduction From 9e0a4be5a2a1b384f013f76879ca7fba71d06e4f Mon Sep 17 00:00:00 2001 From: FingerlessGloves Date: Sun, 3 Oct 2021 16:30:35 +0100 Subject: [PATCH 209/288] Update RC spellcheck installation information Update Roundcube spellcheck installation information, modern browsers include built in spell check, so this maybe a unwanted feature for some. Also bullet pointed the important information about `config.inc.php` --- docs/third_party-roundcube.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 19f45b9f8..18b4a9695 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -9,7 +9,7 @@ mv roundcubemail-1.5-rc rc chown -R root: rc/ ``` -If you need spell check features, create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. +If you need spell check features, create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. Note, most modern web browsers have built in spell check, so you may not want/need this. ``` #!/bin/bash apk update @@ -17,9 +17,9 @@ apk add aspell-en # or any other language ``` Create a file `data/web/rc/config/config.inc.php` with the following content. - -**Change the `des_key` parameter to a random value.** It is used to temporarily store your IMAP password. The "db_prefix" is optional but recommended. - + - **Change the `des_key` parameter to a random value.** It is used to temporarily store your IMAP password. + - The `db_prefix` is optional but recommended. + - If you didn't install spell check in the above step, remove `spellcheck_engine` parameter and replace it with `$config['enable_spellcheck'] = false;`. ``` Date: Mon, 4 Oct 2021 11:44:03 +0200 Subject: [PATCH 210/288] [GH-Actions][pages] Add milkmaker --- .github/workflows/gh-pages.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 278b46d52..769ddce23 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout 📥 uses: actions/checkout@v2.3.4 + with: + token: '${{ secrets.GHPAGES_ACTION_CHECKOUT_TOKEN_PAT }}' - name: Install dependencies 🐄 run: | @@ -23,5 +25,6 @@ jobs: - name: Deploy 🚀 uses: JamesIves/github-pages-deploy-action@4.1.5 with: + token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From a3341b96e891292e70dfdaf89831074104a8aa92 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 4 Oct 2021 11:44:39 +0200 Subject: [PATCH 211/288] It's Mailman 3 --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index f6ce954e3..fd9940481 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -133,7 +133,7 @@ nav: - 'Exchange Hybrid Setup': 'third_party-exchange_onprem.md' - 'Gitea': 'third_party-gitea.md' - 'Gogs': 'third_party-gogs.md' - - 'Mailman3': 'third_party-mailman3.md' + - 'Mailman 3': 'third_party-mailman3.md' - 'Mailpiler Integration': 'third_party-mailpiler_integration.md' - 'Nextcloud': 'third_party-nextcloud.md' - 'Portainer': 'third_party-portainer.md' From 885c7d4c960a6db33dbddbf565590987a3e7b82d Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 4 Oct 2021 12:03:08 +0200 Subject: [PATCH 212/288] [GH-Actions][pages] Fix milkmaker --- .github/workflows/gh-pages.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 769ddce23..92f2e7814 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -26,5 +26,7 @@ jobs: uses: JamesIves/github-pages-deploy-action@4.1.5 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' + git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' + git-config-email: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITEMAIL_PAT }}' branch: gh-pages # The branch the action should deploy to. folder: site # The folder the action should deploy. From 0b29b4a83275b4bd0633ff1fb5d8350a05821e1a Mon Sep 17 00:00:00 2001 From: Peter Date: Wed, 6 Oct 2021 22:46:08 +0200 Subject: [PATCH 213/288] [GH-Actions][pages] Update to mkdocs-material 7.3.2 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 92f2e7814..a8eab97b8 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.1 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.2 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index faf6ab165..98edc603f 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.1 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.2 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 5b6f47eb8994e5c1826d1d6aff98703aafb94057 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sun, 10 Oct 2021 15:35:13 +0200 Subject: [PATCH 214/288] add debug-mysql_aria.md --- docs/debug-mysql_aria.md | 22 ++++++++++++++++++++++ mkdocs.yml | 1 + 2 files changed, 23 insertions(+) create mode 100644 docs/debug-mysql_aria.md diff --git a/docs/debug-mysql_aria.md b/docs/debug-mysql_aria.md new file mode 100644 index 000000000..eb5ebad75 --- /dev/null +++ b/docs/debug-mysql_aria.md @@ -0,0 +1,22 @@ +## MariaDB: Aria recovery after crash + +If your server crashed and MariaDB logs an error similar to `[ERROR] mysqld: Aria recovery failed. Please run aria_chk -r on all Aria tables (*.MAI) and delete all aria_log.######## files` you may want to try the following to recover the database to a healthy state: + +Start the stack and wait until mysql-mailcow begins to report a restarting state. Check by running `docker-compose ps`. + +Now run the following commands: + +``` +# Stop the stack, don't run "down" +docker-compose stop +# Run a bash in the stopped container as user mysql +docker-compose run --rm --entrypoint '/bin/sh -c "gosu mysql bash"' mysql-mailcow +# cd to the SQL data directory +cd /var/lib/mysql +# Run aria_chk +aria_chk --check --force */*.MAI +# Delete aria log files +rm aria_log.* +``` + +Now run `docker-compose down` followed by `docker-compose up -d`. diff --git a/mkdocs.yml b/mkdocs.yml index aa3351e2d..2faf71486 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -52,6 +52,7 @@ nav: - 'Attach a Container': 'debug-attach_service.md' - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - 'Manual MySQL upgrade': 'debug-mysql_upgrade.md' + - 'Recover crashed Aria storage engine': 'debug-mysql_aria.md' - 'Remove Persistent Data': 'debug-rm_volumes.md' - 'Common Problems': 'debug-common_problems.md' - 'Admin login to SOGo': 'debug-admin_login_sogo.md' From 7c3690dd2a41a317b2716c1f1d8f87dc385949c5 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 12 Oct 2021 18:17:31 +0200 Subject: [PATCH 215/288] [GH-Actions][pages] Update to mkdocs-material 7.3.3 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index a8eab97b8..b5c000308 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.2 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.3 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 98edc603f..1b0af58d9 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.2 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.3 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 2a8aced4df6b6f65e8de9667dd42ce320cfd396d Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 15 Oct 2021 20:11:20 +0200 Subject: [PATCH 216/288] [GH-Actions][pages] Update checkout to v2.3.5 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index b5c000308..3df799302 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout 📥 - uses: actions/checkout@v2.3.4 + uses: actions/checkout@v2.3.5 with: token: '${{ secrets.GHPAGES_ACTION_CHECKOUT_TOKEN_PAT }}' From 641e3c6551630673c812d15398d58f0e3ebb94ea Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 18 Oct 2021 16:19:49 +0200 Subject: [PATCH 217/288] Add cold standby docs --- docs/b_n_r-accidental_deletion.md | 40 +++++++++++++ docs/b_n_r-backup.md | 97 +++++++++++++++++++++++++++++++ docs/b_n_r-coldstandby.md | 71 ++++++++++++++++++++++ docs/b_n_r-restore.md | 14 +++++ mkdocs.yml | 13 +++-- 5 files changed, 229 insertions(+), 6 deletions(-) create mode 100644 docs/b_n_r-accidental_deletion.md create mode 100644 docs/b_n_r-backup.md create mode 100644 docs/b_n_r-coldstandby.md create mode 100644 docs/b_n_r-restore.md diff --git a/docs/b_n_r-accidental_deletion.md b/docs/b_n_r-accidental_deletion.md new file mode 100644 index 000000000..8f5597fd0 --- /dev/null +++ b/docs/b_n_r-accidental_deletion.md @@ -0,0 +1,40 @@ +So you deleted a mailbox and have no backups, he? + +If you noticed your mistake within a few hours, you can probably recover the users data. + +### SOGo + +We automatically create daily backups (24h interval starting from running up -d) in `/var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the file named after the user you want to restore to `__MAILCOW_DIRECTORY__/data/conf/sogo`. + +1\. Copy the backup: `cp /var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/restoreme@example.org __MAILCOW_DIRECTORY__/data/conf/sogo` + +2\. Run `docker-compose exec -u sogo sogo-mailcow sogo-tool restore -F ALL /etc/sogo restoreme@example.org` + +Run `sogo-tool` without parameters to check for possible restore options. + +3\. Delete the copied backup by running `rm __MAILCOW_DIRECTORY__/data/conf/sogo` + +4\. Restart SOGo and Memcached: `docker-compose restart sogo-mailcow memcached-mailcow` + +### Mail + +In case of an accidental deletion of a mailbox, you will be able to recover for (by default) 5 days. This depends on the `MAILDIR_GC_TIME` parameter in `mailcow.conf`. + +A deleted mailbox is copied in its encrypted form to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage`. + +The folder inside `_garbage` follows the structure `[timestamp]_[domain_sanitized][user_sanitized]`, for example `1629109708_exampleorgtest` in case of test@example.org deleted on 1629109708. + +To restore make sure you are actually restoring to the same mailcow it was deleted from or you use the same encryption keys in `crypt-vol-1`. + +**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. + +Copy the folders from `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage/[timestamp]_[domain_sanitized][user_sanitized]` back to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/[domain]/[user]` and resync the folder and recalc the quota: + +``` +docker-compose exec dovecot-mailcow doveadm force-resync -u restoreme@example.net '*' +docker-compose exec dovecot-mailcow doveadm quota recalc -u restoreme@example.net +``` diff --git a/docs/b_n_r-backup.md b/docs/b_n_r-backup.md new file mode 100644 index 000000000..60e6c301e --- /dev/null +++ b/docs/b_n_r-backup.md @@ -0,0 +1,97 @@ +### Backup + +#### Manual + +You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. + +Please do not copy this script to another location. + +To run a backup, write "backup" as first parameter and either one or more components to backup as following parameters. +You can also use "all" as second parameter to backup all components. Append `--delete-days n` to delete backups older than n days. + +``` +# Syntax: +# ./helper-scripts/backup_and_restore.sh backup (vmail|crypt|redis|rspamd|postfix|mysql|all|--delete-days) + +# Backup all, delete backups older than 3 days +./helper-scripts/backup_and_restore.sh backup all --delete-days 3 + +# Backup vmail, crypt and mysql data, delete backups older than 30 days +./helper-scripts/backup_and_restore.sh backup vmail crypt mysql --delete-days 30 + +# Backup vmail +./helper-scripts/backup_and_restore.sh backup vmail + +``` + +The script will ask you for a backup location. Inside of this location it will create folders in the format "mailcow_DATE". +You should not rename those folders to not break the restore process. + +To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variable before starting the script: + +``` +MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all +``` + +#### Cronjob + +You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: + +``` +5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +``` + +Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). + +This following script may be placed in `/etc/cron.daily/mailcow-backup` - do not forget to mark it as executable via `chmod +x`: + +``` +#!/bin/sh + +# Backup mailcow data +# https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/ + +set -e + +OUT="$(mktemp)" +export MAILCOW_BACKUP_LOCATION="/opt/backup" +SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" +PARAMETERS="backup all" +OPTIONS="--delete-days 30" + +# run command +set +e +"${SCRIPT}" ${PARAMETERS} ${OPTIONS} 2>&1 > "$OUT" +RESULT=$? + +if [ $RESULT -ne 0 ] + then + echo "${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:" + echo "RESULT=$RESULT" + echo "STDOUT / STDERR:" + cat "$OUT" +fi +``` + +# Backup strategy with rsync and mailcow backup script + +Create the destination directory for mailcows helper script: +``` +mkdir -p /external_share/backups/backup_script +``` + +Create cronjobs: +``` +25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /external_share/backups/mailcow-dockerized +40 2 * * * rsync -aH --delete /var/lib/docker/volumes /external_share/backups/var_lib_docker_volumes +5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/external_share/backups/backup_script /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 +# If you want to, use the acl util to backup permissions of some/all folders/files: getfacl -Rn /path +``` + +On the destination (in this case `/external_share/backups`) you may want to have snapshot capabilities (ZFS, Btrfs etc.). Snapshot daily and keep for n days for a consistent backup. +Do **not** rsync to a Samba share, you need to keep the correct permissions! + +To restore you'd simply need to run rsync the other way round and restart Docker to re-read the volumes. Run `docker-compose pull` and `docker-compose up -d`. + +If you are lucky Redis and MariaDB can automatically fix the inconsistent databases (if they _are_ inconsistent). +In case of a corrupted database you'd need to use the helper script to restore the inconsistent elements. If a restore fails, try to extract the backups and copy the files back manually. Keep the file permissions! diff --git a/docs/b_n_r-coldstandby.md b/docs/b_n_r-coldstandby.md new file mode 100644 index 000000000..2baba6e6d --- /dev/null +++ b/docs/b_n_r-coldstandby.md @@ -0,0 +1,71 @@ +# Cold-standby backup + +mailcow offers an easy way to create a consistent copy of itself to be rsync'ed to a remote location without downtime. + +This may also be used to transfer your mailcow to a new server. + +## You should know + +The provided script will work on default installations. + +It may break when you use unsupported volume overrides. We don't support that and we will not include hacks to support that. Please run and maintain a fork if you plan to keep your changes. + +The script will use **the same pathes** as your default mailcow installation. That is the mailcow base directory - for most users `/opt/mailcow-dockerized` - as well as the mountpoints. + +To find the pathes of your source volumes we use `docker inspect` and read the destination directory of every volume related to your mailcow compose project. This means we will also transfer volumes you may have added in a override file. Local bind mounts may or may not work. + +The use rsync with the `--delete` flag. The destination will be an exact copy of the source. + +`mariabackup` is used to create a consistent copy of the SQL data directory. + +After rsync'ing the data we will run `docker-compose pull` and remove old image tags from the destination. + +Your source will not be changed at any time. + +**You may want to make sure to use the same `/etc/docker/daemon.json` on the remote target.** + +You should not run disk snapshots (e.g. via ZFS, LVM etc.) on the target at the very same time as this script is run. + +Versioning is not part of this script, we rely on the destination (snapshots or backups). You may also want to use any other tool for that. + +## Prepare + +You will need a SSH-enabled destination and a keyfile to connect to said destination. The key should not be protected by a password for the script to work unattended. + +In your mailcow base directory, e.g. `/opt/mailcow-dockerized` you will find a file `create_cold_standby.sh`. + +Edit this file and change the exported variables: + +``` +export REMOTE_SSH_KEY=/path/to/keyfile +export REMOTE_SSH_PORT=22 +export REMOTE_SSH_HOST=mailcow-backup.host.name +``` + +The key must be owned and readable by root only. + +Both the source and destination require `rsync` >= v3.1.0. +The destination must have Docker and docker-compose **v1** available. + +The script will detect errors automatically and exit. + +You may want to test the connection by running `ssh mailcow-backup.host.name -p22 -i/path/to/keyfile`. + +## Backup and refresh the cold-standby + +Run the first backup, this may take a while depending on the connection: + +``` +bash /opt/mailcow-dockerized/create_cold_standby.sh +``` + +That was easy, wasn't it? + +Updating your cold-standby is just as easy: + +``` +bash /opt/mailcow-dockerized/create_cold_standby.sh +``` + +It's the same command. + diff --git a/docs/b_n_r-restore.md b/docs/b_n_r-restore.md new file mode 100644 index 000000000..e8603d86c --- /dev/null +++ b/docs/b_n_r-restore.md @@ -0,0 +1,14 @@ +### Restore + +Please do not copy this script to another location. + +To run a restore, **start mailcow**, use the script with "restore" as first parameter. + +``` +# Syntax: +# ./helper-scripts/backup_and_restore.sh restore + +``` + +The script will ask you for a backup location containing the mailcow_DATE folders. + diff --git a/mkdocs.yml b/mkdocs.yml index be439bd91..600b6f073 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -62,13 +62,14 @@ nav: - 'Reset Passwords (incl. SQL)': 'debug-reset_pw.md' - 'Reset TLS certificates': 'debug-reset_tls.md' - 'Backup & Restore': - - 'Helper script': - - 'Backup': 'b_n_r_backup.md' - - 'Restore': 'b_n_r_restore.md' - - 'Manually': + - 'Component backup': + - 'Backup': 'b_n_r-backup.md' + - 'Restore': 'b_n_r-restore.md' + - 'Cold-standby (rolling)': 'b_n_r-coldstandby.md' + - 'Manual backups': - 'Maildir': 'u_e-backup_restore-maildir.md' - - 'MySQL': 'u_e-backup_restore-mysql.md' - - 'Automatic backups': + - 'MySQL (mysqldump)': 'u_e-backup_restore-mysql.md' + - 'mailcow-internal backups': - 'Recover accidentally deleted data': 'b_n_r_accidental_deletion.md' - 'Manual/Guides/Examples': - 'mailcow UI': From 50b473527a927663c33cca016eb31e6e0dbcba1f Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 18 Oct 2021 16:20:35 +0200 Subject: [PATCH 218/288] Add cold standby docs --- docs/b_n_r_accidental_deletion.md | 40 ------------- docs/b_n_r_backup.md | 97 ------------------------------- docs/b_n_r_restore.md | 14 ----- 3 files changed, 151 deletions(-) delete mode 100644 docs/b_n_r_accidental_deletion.md delete mode 100644 docs/b_n_r_backup.md delete mode 100644 docs/b_n_r_restore.md diff --git a/docs/b_n_r_accidental_deletion.md b/docs/b_n_r_accidental_deletion.md deleted file mode 100644 index 43b731f21..000000000 --- a/docs/b_n_r_accidental_deletion.md +++ /dev/null @@ -1,40 +0,0 @@ -So you deleted a mailbox and have no backups, he? - -If you noticed your mistake within a few hours, you can probably recover the users data. - -### SOGo - -We automatically create daily backups (24h interval starting from running up -d) in `/var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/`. - -**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. - -Copy the file named after the user you want to restore to `__MAILCOW_DIRECTORY__/data/conf/sogo`. - -1\. Copy the backup: `cp /var/lib/docker/volumes/mailcowdockerized_sogo-userdata-backup-vol-1/_data/restoreme@example.org __MAILCOW_DIRECTORY__/data/conf/sogo` - -2\. Run `docker-compose exec -u sogo sogo-mailcow sogo-tool restore -F ALL /etc/sogo restoreme@example.org` - -Run `sogo-tool` without parameters to check for possible restore options. - -3\. Delete the copied backup by running `rm __MAILCOW_DIRECTORY__/data/conf/sogo` - -4\. Restart SOGo and Memcached: `docker-compose restart sogo-mailcow memcached-mailcow` - -### Mail - -In case of an accidental deletion of a mailbox, you will be able to recover for (by default) 5 days. This depends on the `MAILDIR_GC_TIME` parameter in `mailcow.conf`. - -A deleted mailbox is copied in its encrypted form to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage`. - -The folder inside _garbage follows the structure `[timestamp]_[domain_sanitized][user_sanitized]`, for example `1629109708_exampleorgtest in case of test@example.org deleted on 1629109708. - -To restore make sure you are actually restoring to the same mailcow it was deleted from or you use the same encryption keys in `crypt-vol-1`. - -**Make sure the user you want to restore exists in your mailcow**. Re-create them if they are missing. - -Copy the folders from `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/_garbage/[timestamp]_[domain_sanitized][user_sanitized]` back to `/var/lib/docker/volumes/mailcowdockerized_vmail-vol-1/_data/[domain]/[user]` and resync the folder and recalc the quota: - -``` -docker-compose exec dovecot-mailcow doveadm force-resync -u restoreme@example.net '*' -docker-compose exec dovecot-mailcow doveadm quota recalc -u restoreme@example.net -``` diff --git a/docs/b_n_r_backup.md b/docs/b_n_r_backup.md deleted file mode 100644 index 60e6c301e..000000000 --- a/docs/b_n_r_backup.md +++ /dev/null @@ -1,97 +0,0 @@ -### Backup - -#### Manual - -You can use the provided script `helper-scripts/backup_and_restore.sh` to backup mailcow automatically. - -Please do not copy this script to another location. - -To run a backup, write "backup" as first parameter and either one or more components to backup as following parameters. -You can also use "all" as second parameter to backup all components. Append `--delete-days n` to delete backups older than n days. - -``` -# Syntax: -# ./helper-scripts/backup_and_restore.sh backup (vmail|crypt|redis|rspamd|postfix|mysql|all|--delete-days) - -# Backup all, delete backups older than 3 days -./helper-scripts/backup_and_restore.sh backup all --delete-days 3 - -# Backup vmail, crypt and mysql data, delete backups older than 30 days -./helper-scripts/backup_and_restore.sh backup vmail crypt mysql --delete-days 30 - -# Backup vmail -./helper-scripts/backup_and_restore.sh backup vmail - -``` - -The script will ask you for a backup location. Inside of this location it will create folders in the format "mailcow_DATE". -You should not rename those folders to not break the restore process. - -To run a backup unattended, define MAILCOW_BACKUP_LOCATION as environment variable before starting the script: - -``` -MAILCOW_BACKUP_LOCATION=/opt/backup /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all -``` - -#### Cronjob - -You can run the backup script regularly via cronjob. Make sure `BACKUP_LOCATION` exists: - -``` -5 4 * * * cd /opt/mailcow-dockerized/; MAILCOW_BACKUP_LOCATION=/mnt/mailcow_backups /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 -``` - -Per default cron sends the full result of each backup operation by email. If you want cron to only mail on error (non-zero exit code) you may want to use the following snippet. Pathes need to be modified according to your setup (this script is a user contribution). - -This following script may be placed in `/etc/cron.daily/mailcow-backup` - do not forget to mark it as executable via `chmod +x`: - -``` -#!/bin/sh - -# Backup mailcow data -# https://mailcow.github.io/mailcow-dockerized-docs/b_n_r_backup/ - -set -e - -OUT="$(mktemp)" -export MAILCOW_BACKUP_LOCATION="/opt/backup" -SCRIPT="/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh" -PARAMETERS="backup all" -OPTIONS="--delete-days 30" - -# run command -set +e -"${SCRIPT}" ${PARAMETERS} ${OPTIONS} 2>&1 > "$OUT" -RESULT=$? - -if [ $RESULT -ne 0 ] - then - echo "${SCRIPT} ${PARAMETERS} ${OPTIONS} encounters an error:" - echo "RESULT=$RESULT" - echo "STDOUT / STDERR:" - cat "$OUT" -fi -``` - -# Backup strategy with rsync and mailcow backup script - -Create the destination directory for mailcows helper script: -``` -mkdir -p /external_share/backups/backup_script -``` - -Create cronjobs: -``` -25 1 * * * rsync -aH --delete /opt/mailcow-dockerized /external_share/backups/mailcow-dockerized -40 2 * * * rsync -aH --delete /var/lib/docker/volumes /external_share/backups/var_lib_docker_volumes -5 4 * * * cd /opt/mailcow-dockerized/; BACKUP_LOCATION=/external_share/backups/backup_script /opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup mysql crypt redis --delete-days 3 -# If you want to, use the acl util to backup permissions of some/all folders/files: getfacl -Rn /path -``` - -On the destination (in this case `/external_share/backups`) you may want to have snapshot capabilities (ZFS, Btrfs etc.). Snapshot daily and keep for n days for a consistent backup. -Do **not** rsync to a Samba share, you need to keep the correct permissions! - -To restore you'd simply need to run rsync the other way round and restart Docker to re-read the volumes. Run `docker-compose pull` and `docker-compose up -d`. - -If you are lucky Redis and MariaDB can automatically fix the inconsistent databases (if they _are_ inconsistent). -In case of a corrupted database you'd need to use the helper script to restore the inconsistent elements. If a restore fails, try to extract the backups and copy the files back manually. Keep the file permissions! diff --git a/docs/b_n_r_restore.md b/docs/b_n_r_restore.md deleted file mode 100644 index e8603d86c..000000000 --- a/docs/b_n_r_restore.md +++ /dev/null @@ -1,14 +0,0 @@ -### Restore - -Please do not copy this script to another location. - -To run a restore, **start mailcow**, use the script with "restore" as first parameter. - -``` -# Syntax: -# ./helper-scripts/backup_and_restore.sh restore - -``` - -The script will ask you for a backup location containing the mailcow_DATE folders. - From df3b7aa70027cad031dbf8bda928a69b4ed94c1b Mon Sep 17 00:00:00 2001 From: andryyy Date: Mon, 18 Oct 2021 16:23:11 +0200 Subject: [PATCH 219/288] Wording --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 600b6f073..a82ff6b2b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -65,7 +65,7 @@ nav: - 'Component backup': - 'Backup': 'b_n_r-backup.md' - 'Restore': 'b_n_r-restore.md' - - 'Cold-standby (rolling)': 'b_n_r-coldstandby.md' + - 'Cold-standby (rolling backup)': 'b_n_r-coldstandby.md' - 'Manual backups': - 'Maildir': 'u_e-backup_restore-maildir.md' - 'MySQL (mysqldump)': 'u_e-backup_restore-mysql.md' From 68de2878a0582abe38c67ea6b6c50df36ab7384c Mon Sep 17 00:00:00 2001 From: ctrl-i <1422608+ctrl-i@users.noreply.github.com> Date: Tue, 19 Oct 2021 18:03:37 +0100 Subject: [PATCH 220/288] Update u_e-update-hooks.md (#308) Fixed two typos --- docs/u_e-update-hooks.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/u_e-update-hooks.md b/docs/u_e-update-hooks.md index 1d61bbe1c..ee2002354 100644 --- a/docs/u_e-update-hooks.md +++ b/docs/u_e-update-hooks.md @@ -1,9 +1,9 @@ It is possible to add pre- and post-update-hooks to the `update.sh` script that upgrades your whole mailcow installation. -To do so, just add the corresponding bash script into your mailcows root directory: +To do so, just add the corresponding bash script into your mailcow root directory: * `pre_update_hook.sh` for commands that should run before the update -* `post_uddate_hook.sh` for commands that should run after the update is completed +* `post_update_hook.sh` for commands that should run after the update is completed Keep in mind that `pre_update_hook.sh` runs every time you call `update.sh` and `post_update_hook.sh` will only run if the update was successful and the script doesn't have to be re-run. From ce6132ee625eb7c4c25b7a17bc9164485221419a Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Oct 2021 19:10:09 +0200 Subject: [PATCH 221/288] Fixes #309 --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index a82ff6b2b..9c787d530 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -70,7 +70,7 @@ nav: - 'Maildir': 'u_e-backup_restore-maildir.md' - 'MySQL (mysqldump)': 'u_e-backup_restore-mysql.md' - 'mailcow-internal backups': - - 'Recover accidentally deleted data': 'b_n_r_accidental_deletion.md' + - 'Recover accidentally deleted data': 'b_n_r-accidental_deletion.md' - 'Manual/Guides/Examples': - 'mailcow UI': - 'Blacklist / Whitelist': 'u_e-mailcow_ui-bl_wl.md' From 6a2ce9c9ac53bc7362db0c42772dd2994162e250 Mon Sep 17 00:00:00 2001 From: FingerlessGloves Date: Tue, 19 Oct 2021 18:14:10 +0100 Subject: [PATCH 222/288] Update Roundcube guide for 1.5 release and upgrade (#307) * Update Roundcube guide for 1.5 release Update Roundcube guide for 1.5 release, then added simple upgrade instructions, for people with older installs. * Update upgrade working Co-authored-by: Peter * Correct sentence capitalisation Co-authored-by: Peter * Correct sentence capitalisation Co-authored-by: Peter * Correct sentence capitalisation Co-authored-by: Peter * Update extract folder name Co-authored-by: Peter Co-authored-by: Peter --- docs/third_party-roundcube.md | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 18b4a9695..3191910a3 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -1,10 +1,13 @@ +## Installing Roundcube + Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`): ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5-rc/roundcubemail-1.5-rc-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.0/roundcubemail-1.5.0-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.5-rc rc +mv roundcubemail-1.5.0 rc + # Change permissions chown -R root: rc/ ``` @@ -160,3 +163,29 @@ $MAILCOW_APPS = array( ); ... ```` + +## Upgrading Roundcube + +Upgrading Roundcube is rather simple, go to the [Github releases](https://github.com/roundcube/roundcubemail/releases) page for Roundcube and get the link for the "complete.tar.gz" file for the wanted release. Then follow the below commands and change the URL and Roundcube folder name if needed. + + +``` +# Enter a bash session of the mailcow PHP container +docker exec -it mailcowdockerized_php-fpm-mailcow_1 bash + +# Install required upgrade dependency, then upgrade Roundcube to wanted release + +apk add rsync +cd /tmp +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.0/roundcubemail-1.5.0-complete.tar.gz | tar xfvz - +cd roundcubemail-1.5.0 +bin/installto.sh /web/rc + +# Type 'Y' and press enter to upgrade your install of Roundcube + + +# Remove leftover files + +cd /tmp +rm -rf roundcube* +``` From daf7447f17a95ece88bf94a7b07a2880c07706b4 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Oct 2021 19:20:46 +0200 Subject: [PATCH 223/288] [GH-Actions][pages] Update mkdocs-material to 7.3.4 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 3df799302..7999628ff 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.3 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.4 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 1b0af58d9..eb554e803 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.3 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.4 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 66afa73d47fd4a611349ba3fd63f06bfa25ec0ea Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 19 Oct 2021 19:21:24 +0200 Subject: [PATCH 224/288] Add redirects for b_n_r(-/_)accidental_deletion.md --- mkdocs.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/mkdocs.yml b/mkdocs.yml index 9c787d530..9b23c154b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -157,3 +157,4 @@ plugins: - redirects: redirect_maps: 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' + 'b_n_r_accidental_deletion.md': 'b_n_r-accidental_deletion.md' From 4300400fb2f61596d5a4541eb473e63e4a376f76 Mon Sep 17 00:00:00 2001 From: andryyy Date: Sat, 23 Oct 2021 09:08:33 +0200 Subject: [PATCH 225/288] Add hint about disabling TFA in SOGo --- docs/u_e-sogo.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 3fde37361..243ce16a1 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -74,3 +74,6 @@ Edit `data/conf/sogo/sogo.conf` and **change** `SOGoPasswordChangeEnabled` to `N Run `docker-compose restart memcached-mailcow sogo-mailcow` to activate the changes. +## Reset TOTP / Disable TOTP + +Run `docker-compose exec -u sogo sogo-mailcow sogo-tool user-preferences set defaults user@domain.tld SOGoTOTPEnabled '{"SOGoTOTPEnabled":0}'` from within the mailcow directory. From c5a26eae2d99e6f41001ef6793efd1ff411e304b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Matula?= Date: Tue, 26 Oct 2021 21:12:31 +0200 Subject: [PATCH 226/288] Update prerequisite-system.md (#310) --- docs/prerequisite-system.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/prerequisite-system.md b/docs/prerequisite-system.md index 4880abe48..ba8364172 100644 --- a/docs/prerequisite-system.md +++ b/docs/prerequisite-system.md @@ -22,7 +22,7 @@ Please make sure that your system has at least the following resources: | Disk | 20 GiB (without emails) | | System Type | x86_64 | -We recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 9/10 and Ubuntu 18.04/20.04. +We recommend using any distribution listed as supported by Docker CE (check https://docs.docker.com/install/). We test on CentOS 7, Debian 10/11 and Ubuntu 18.04/20.04. ClamAV and Solr can be greedy with RAM. You may disable them in `mailcow.conf` by settings `SKIP_CLAMD=y` and `SKIP_SOLR=y`. From 3454467df82b9e06332f671e43208ac30636bd6a Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 28 Oct 2021 18:32:39 +0200 Subject: [PATCH 227/288] [GH-Actions][pages] Update mkdocs-material to 7.3.5 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 7999628ff..2b1494e88 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.4 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.5 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index eb554e803..003fa8dbc 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.4 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.5 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 8ee831eff9b36471733b0296bb0d3e64a545a1bf Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 29 Oct 2021 11:34:41 +0300 Subject: [PATCH 228/288] Add watchdog docs --- docs/u_e-watchdog-thresholds.md | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 docs/u_e-watchdog-thresholds.md diff --git a/docs/u_e-watchdog-thresholds.md b/docs/u_e-watchdog-thresholds.md new file mode 100644 index 000000000..68f5daba3 --- /dev/null +++ b/docs/u_e-watchdog-thresholds.md @@ -0,0 +1,10 @@ +Watchdog has default values for all thresholds which fit great for most of setups. + +Thresholds variables don't added to `mailcow.conf` by default. +To adjust them just add needed threshold variable to `mailcow.conf` and run `docker-compose up -d`. + +## Thresholds description + +### MAILQ_CRIT and MAILQ_THRESHOLD + +Notificaty administrators if number of emails in the postfix queue is greater then `MAILQ_CRIT` for periond of `MAILQ_THRESHOLD * (60±30)` seconds. From 15531d8342744588c3c95d85f086bd7047023e49 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 29 Oct 2021 11:39:04 +0300 Subject: [PATCH 229/288] Update mkdocs.yml --- mkdocs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mkdocs.yml b/mkdocs.yml index 9b23c154b..c0c349ad6 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -108,6 +108,8 @@ nav: - 'Nginx': - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Custom sites': 'u_e-nginx.md' + - 'Watchdog': + - 'Modify thresholds': 'u_e-watchdog-thresholds.md' - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' From 7622efb7155635d07ef4b8cbdf939ea3dfc5a26f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 29 Oct 2021 12:25:09 +0200 Subject: [PATCH 230/288] Update u_e-watchdog-thresholds.md --- docs/u_e-watchdog-thresholds.md | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/docs/u_e-watchdog-thresholds.md b/docs/u_e-watchdog-thresholds.md index 68f5daba3..5d240ab4a 100644 --- a/docs/u_e-watchdog-thresholds.md +++ b/docs/u_e-watchdog-thresholds.md @@ -1,7 +1,32 @@ -Watchdog has default values for all thresholds which fit great for most of setups. +Watchdog uses default values for all thresholds defined in `docker-compose.yml`. -Thresholds variables don't added to `mailcow.conf` by default. -To adjust them just add needed threshold variable to `mailcow.conf` and run `docker-compose up -d`. +The default values will work for most setups. + +Example: + +``` + - NGINX_THRESHOLD=${NGINX_THRESHOLD:-5} + - UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5} + - REDIS_THRESHOLD=${REDIS_THRESHOLD:-5} + - MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5} + - MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1} + - SOGO_THRESHOLD=${SOGO_THRESHOLD:-3} + - POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8} + - CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15} + - DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12} + - DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20} + - PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5} + - RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1} + - FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1} + - ACME_THRESHOLD=${ACME_THRESHOLD:-1} + - RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5} + - OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5} + - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20} + - MAILQ_CRIT=${MAILQ_CRIT:-30} +``` + + +To adjust them just add necessary threshold variables (e.g. `MAILQ_THRESHOLD=10`) to `mailcow.conf` and run `docker-compose up -d`. ## Thresholds description From 22b5937ebc44698c3a7a5af6b0e5852e3ebd50e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Fri, 29 Oct 2021 12:25:38 +0200 Subject: [PATCH 231/288] Update mkdocs.yml --- mkdocs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index c0c349ad6..be490673a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -109,7 +109,7 @@ nav: - 'Create subdomain webmail.example.org': 'u_e-webmail-site.md' - 'Custom sites': 'u_e-nginx.md' - 'Watchdog': - - 'Modify thresholds': 'u_e-watchdog-thresholds.md' + - 'Thresholds': 'u_e-watchdog-thresholds.md' - 'Redis': 'u_e-redis.md' - 'Rspamd': 'u_e-rspamd.md' - 'SOGo': 'u_e-sogo.md' From 1c571916dacf6a3cef7748b4211bc3429cf42679 Mon Sep 17 00:00:00 2001 From: Peter Date: Fri, 29 Oct 2021 21:24:45 +0200 Subject: [PATCH 232/288] Update u_e-watchdog-thresholds --- docs/u_e-watchdog-thresholds.md | 93 ++++++++++++++++++++++++--------- 1 file changed, 69 insertions(+), 24 deletions(-) diff --git a/docs/u_e-watchdog-thresholds.md b/docs/u_e-watchdog-thresholds.md index 5d240ab4a..db6c530ca 100644 --- a/docs/u_e-watchdog-thresholds.md +++ b/docs/u_e-watchdog-thresholds.md @@ -1,35 +1,80 @@ Watchdog uses default values for all thresholds defined in `docker-compose.yml`. The default values will work for most setups. - Example: - ``` - - NGINX_THRESHOLD=${NGINX_THRESHOLD:-5} - - UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5} - - REDIS_THRESHOLD=${REDIS_THRESHOLD:-5} - - MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5} - - MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1} - - SOGO_THRESHOLD=${SOGO_THRESHOLD:-3} - - POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8} - - CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15} - - DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12} - - DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20} - - PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5} - - RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1} - - FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1} - - ACME_THRESHOLD=${ACME_THRESHOLD:-1} - - RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5} - - OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5} - - MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20} - - MAILQ_CRIT=${MAILQ_CRIT:-30} +- NGINX_THRESHOLD=${NGINX_THRESHOLD:-5} +- UNBOUND_THRESHOLD=${UNBOUND_THRESHOLD:-5} +- REDIS_THRESHOLD=${REDIS_THRESHOLD:-5} +- MYSQL_THRESHOLD=${MYSQL_THRESHOLD:-5} +- MYSQL_REPLICATION_THRESHOLD=${MYSQL_REPLICATION_THRESHOLD:-1} +- SOGO_THRESHOLD=${SOGO_THRESHOLD:-3} +- POSTFIX_THRESHOLD=${POSTFIX_THRESHOLD:-8} +- CLAMD_THRESHOLD=${CLAMD_THRESHOLD:-15} +- DOVECOT_THRESHOLD=${DOVECOT_THRESHOLD:-12} +- DOVECOT_REPL_THRESHOLD=${DOVECOT_REPL_THRESHOLD:-20} +- PHPFPM_THRESHOLD=${PHPFPM_THRESHOLD:-5} +- RATELIMIT_THRESHOLD=${RATELIMIT_THRESHOLD:-1} +- FAIL2BAN_THRESHOLD=${FAIL2BAN_THRESHOLD:-1} +- ACME_THRESHOLD=${ACME_THRESHOLD:-1} +- RSPAMD_THRESHOLD=${RSPAMD_THRESHOLD:-5} +- OLEFY_THRESHOLD=${OLEFY_THRESHOLD:-5} +- MAILQ_THRESHOLD=${MAILQ_THRESHOLD:-20} +- MAILQ_CRIT=${MAILQ_CRIT:-30} ``` - To adjust them just add necessary threshold variables (e.g. `MAILQ_THRESHOLD=10`) to `mailcow.conf` and run `docker-compose up -d`. -## Thresholds description -### MAILQ_CRIT and MAILQ_THRESHOLD +### Thresholds descriptions -Notificaty administrators if number of emails in the postfix queue is greater then `MAILQ_CRIT` for periond of `MAILQ_THRESHOLD * (60±30)` seconds. +#### NGINX_THRESHOLD +Notifies administrators if watchdog can not establish a connection to Nginx on port 8081 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### UNBOUND_THRESHOLD +Notifies administrators if Unbound can not resolve/valide external domains/DNSSEC and it will restart the container automatically when issues were found and the threshold has been reached. + +#### REDIS_THRESHOLD +Notifies administrators if watchdog can not establish a connection to Redis on port 6379 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### MYSQL_THRESHOLD +Notifies administrators if watchdog can not establish a connection to MySQL or can not query a table and it will restart the container automatically when issues were found and the threshold has been reached. + +#### MYSQL_REPLICATION_THRESHOLD +Notifies administrators if the MySQL replication fails. + +#### SOGO_THRESHOLD +Notifies administrators if watchdog can not establish a connection to SOGo on port 20000 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### POSTFIX_THRESHOLD +Notifies administrators if watchdog can not sent a test mail via port 589 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### CLAMD_THRESHOLD +Notifies administrators if watchdog can not establish a connection to Clamd and it will restart the container automatically when issues were found and the threshold has been reached. + +#### DOVECOT_THRESHOLD +Notifies administrators if watchdog fails with various tests with Dovecot container and it will restart the container automatically when issues were found and the threshold has been reached. + +#### DOVECOT_REPL_THRESHOLD +Notifies administrators if the Dovecot replication fails. + +#### PHPFPM_THRESHOLD +Notifies administrators if watchdog can not establish a connection to PHP-FPM on port 9001/9002 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### RATELIMIT_THRESHOLD +Notifies administrators if a ratelimit got hit. + +#### FAIL2BAN_THRESHOLD +Notifies administrators if a fail2ban banned an IP. + +#### ACME_THRESHOLD +Notifies administrators if something is wrong with the acme-mailcow container. You may check its logs. + +#### RSPAMD_THRESHOLD +Notifies administrators if watchdog fails with various tests with Rspamd container and it will restart the container automatically when issues were found and the threshold has been reached. + +#### OLEFY_THRESHOLD +Notifies administrators if watchdog can not establish a connection to olefy on port 10005 and it will restart the container automatically when issues were found and the threshold has been reached. + +#### MAILQ_CRIT and MAILQ_THRESHOLD +Notifies administrators if number of emails in the postfix queue is greater then `MAILQ_CRIT` for period of `MAILQ_THRESHOLD * (60±30)` seconds. From b3cc2ee5fb35111d9d7b5862fb51bcd569465e37 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Oct 2021 03:30:03 +0300 Subject: [PATCH 233/288] Update SOGo Theme Docs --- docs/u_e-sogo.md | 39 ++++++++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 5 deletions(-) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index 243ce16a1..c6d5d6deb 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -8,12 +8,35 @@ Please check the AngularJS Material [intro](https://material.angularjs.org/lates You can use the provided `custom-theme.js` as an example starting point by removing the comments. After you modified `data/conf/sogo/custom-theme.js` and made changes to your new SOGo theme you need to -* edit `data/conf/sogo/sogo.conf` and append/set `SOGoUIxDebugEnabled = YES;` -* restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. +1. edit `data/conf/sogo/sogo.conf` and append/set `SOGoUIxDebugEnabled = YES;` +2. restart SOGo and Memcached containers by executing `docker-compose restart memcached-mailcow sogo-mailcow`. +3. open SOGo in browser +4. open browser developer console, usually shortcut is F12 +5. only if you use Firefox: write by hands in dev console `allow pasting` and press enter +6. paste java script snipet in dev console: +``` +copy([].slice.call(document.styleSheets) + .map(e => e.ownerNode) + .filter(e => e.hasAttribute('md-theme-style')) + .map(e => e.textContent) + .join('\n') +) +``` +7. open text editor and paste data from clipboard (Ctrl+V), you should get minified CSS, save it +8. copy CSS file to mailcow server `data/conf/sogo/custom-theme.css` +9. edit `data/conf/sogo/sogo.conf` and set `SOGoUIxDebugEnabled = NO;` +10. append/create `docker-compose.override.yml` with: +``` + sogo-mailcow: + volumes: + - ./data/conf/sogo/custom-theme.css:/usr/lib/GNUstep/SOGo/WebServerResources/css/theme-default.css:z +``` +11. run `docker-compose up -d` +12. run `docker-compose restart memcached-mailcow` ## Reset to SOGo default theme -Checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` -Find in `data/conf/sogo/custom-theme.js`: +1. checkout `data/conf/sogo/custom-theme.js` by executing `git fetch ; git checkout origin/master data/conf/sogo/custom-theme.js data/conf/sogo/custom-theme.js` +2. find in `data/conf/sogo/custom-theme.js`: ``` // Apply new palettes to the default theme, remap some of the hues $mdThemingProvider.theme('default') @@ -31,10 +54,16 @@ Find in `data/conf/sogo/custom-theme.js`: }) .backgroundPalette('frost-grey'); ``` -and replace with: +and replace it with: ``` $mdThemingProvider.theme('default'); ``` +3. remove from `docker-compose.override.yml` volume mount in `sogo-mailcow`: +``` +- ./data/conf/sogo/custom-theme.css:/usr/lib/GNUstep/SOGo/WebServerResources/css/theme-default.css:z +``` +4. run `docker-compose up -d` +5. run `docker-compose restart memcached-mailcow` ## Change favicon mailcow builds after 31 January 2021 can change SOGo's favicon by replacing `data/conf/sogo/custom-favicon.ico` for SOGo and `data/web/favicon.png` for mailcow UI. From 4e7e1668da89265102a9980b4b09cef4dbff81af Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Sat, 30 Oct 2021 03:33:29 +0300 Subject: [PATCH 234/288] Update SOGo Theme Docs --- docs/u_e-sogo.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/u_e-sogo.md b/docs/u_e-sogo.md index c6d5d6deb..0462df619 100644 --- a/docs/u_e-sogo.md +++ b/docs/u_e-sogo.md @@ -27,6 +27,9 @@ copy([].slice.call(document.styleSheets) 9. edit `data/conf/sogo/sogo.conf` and set `SOGoUIxDebugEnabled = NO;` 10. append/create `docker-compose.override.yml` with: ``` +version: '2.1' + +services: sogo-mailcow: volumes: - ./data/conf/sogo/custom-theme.css:/usr/lib/GNUstep/SOGo/WebServerResources/css/theme-default.css:z From 99e5ff81619e0914048d8db4d488eba40e12005f Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Sun, 31 Oct 2021 17:10:57 +0100 Subject: [PATCH 235/288] Update Thunderbird client instructions for built-in CardDAV support --- docs/client/client-thunderbird.md | 66 ++---------- docs/download/build-thunderbird-plugins.sh | 61 ----------- docs/download/thunderbird-plugins.php | 118 --------------------- docs/third_party-thunderbird.md | 28 ----- mkdocs.yml | 1 - 5 files changed, 6 insertions(+), 268 deletions(-) delete mode 100755 docs/download/build-thunderbird-plugins.sh delete mode 100644 docs/download/thunderbird-plugins.php delete mode 100644 docs/third_party-thunderbird.md diff --git a/docs/client/client-thunderbird.md b/docs/client/client-thunderbird.md index c863d4e5f..7fd3efa8c 100644 --- a/docs/client/client-thunderbird.md +++ b/docs/client/client-thunderbird.md @@ -6,76 +6,22 @@ If this is the first time you launched Thunderbird, it asks you whether you would like a new email address. Click Skip this and use my existing email and proceed to step 4.
  • - Go to the Tools menu and select Account Settings. -
    • -
  • - Click the Account Actions dropdown menu at the bottom left and select Add Mail Account. + Go to the File menu and select New, Existing Mail Account....
  • Enter your name (), email address () and your password. Make sure the Remember password checkbox is selected and click Continue.
  • - Once the configuration has been automatically detected, click Done. + Once the configuration has been automatically detected, make sure IMAP is selected and click Done.
  • - If you already had other accounts configured in Thunderbird, select the new one () on the left, click the Account Actions dropdown and select Set as Default. + To use your contacts from the server, click on the arrow next to "Address Books" and click the Connect button on each address book you would like to use.
  • - Close the account settings window with the OK button. + To use your calendars from the server, click on the arrow next to "Calendars" and click the Connect button on each calendar you would like to use.
    • -
  • - In your web browser, download SOGo ConnectorSOGo Connector. -
    • -
  • - Back in Thunderbird, go to the Tools menu and select Add-ons. -
    • -
  • - Click Extensions on the left and ensure that the Lightning add-on is already installed. It is installed by default in the Windows and macOS versions of Thunderbird, but if you are running Linux and installed Thunderbird through your distribution's package manager, Lightning might be available as a separate package (e.g. xul-ext-lightning on Ubuntu). -
    • -
  • - Click Extensions on the left, click the little gear icon at the top and select Install Add-on From File. Select the file you downloaded in step 9, click Open and, after waiting for a few seconds, Install Now. -
    • -
  • - Click the Restart Now button at the top that appears. -
    • -
  • - Thunderbird briefly shows a message that it is updating extensions, then restarts automatically once more. -
    • -
  • - When you are prompted to authenticate for , enter your email address and password, check Use Password Manager and click OK. +
  • + Click Finish to close the Account Setup window.
    • -
    -Automatic configuration of calendars and address books in Thunderbird is not currently supported. - You can ask your server administrator to enable SOGo Connector if you need it. -
    - -
    -Automatic configuration of calendars and address books (from step 9 onward) in Thunderbird is only supported if your server administrator has enabled [SOGo Connector](https://mailcow.github.io/mailcow-dockerized-docs/third_party-thunderbird). -
    - -## Different method of connecting Cal-/CardDAV in Thunderbird with automatic detection of address books and calendars - -Instead of using SOGo Connector you can use a combination of - -- https://addons.thunderbird.net/de/thunderbird/addon/tbsync/ and -- https://addons.thunderbird.net/de/thunderbird/addon/dav-4-tbsync/ - -1. To add your Cal-/CardDAV accounts go to `Tools` and find TbSync - -![TbSync](../images/thunderbird-tbsync.png) - -2. You can add new accounts via the CalDAV & CardDAV provider: - -![TbSync - CalDAV & CardDAV Provider](../images/thunderbird-tbsync-caldav.png) - -3. Choose "Automatic Configuration". Use your mail address as account and username. Use your mail password as DAV password. The server URL is your MAILCOW_HOSTNAME (specifying any protocol is not necessary, just enter the full domain). - -4. Now tick the checkbox for "Enable and synchronize this account" in the synchronization status tab: - -![TbSync - Enable](../images/thunderbird-tbsync-enable.png) - -5. Several available resources should appear in the same window area now. Tick all checkboxes of the resources (address books and calendars) that you want to sync. Choose a synchronization period (in minutes) in the same window area before clicking on "Synchronize now". If you leave the sync at "0" it will only sync manually so choose at least 30 minutes for periodic synchronization. - -If you want to manually synchronize you can find this option under "Account actions" - the dropdown-menu where you added the Cal-/CardDAV account (step 2). diff --git a/docs/download/build-thunderbird-plugins.sh b/docs/download/build-thunderbird-plugins.sh deleted file mode 100755 index 35ff84a26..000000000 --- a/docs/download/build-thunderbird-plugins.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -set -e - -MAILHOST=$1 -if [ "$MAILHOST" = "" ]; then - echo "Usage: echo example.com example.org | $0 mailcow.example.com" - exit 1 -fi - -cd $(dirname $0) - -# we have to use the master branch, because there is no tag or release at the moment -wget -O connector.zip https://github.com/inverse-inc/sogo-connector/archive/master.zip -unzip connector.zip - -# build custom connector -while read DOMAINS; do - for DOMAIN in $DOMAINS; do - echo "Building SOGo Connector for $DOMAIN hosted on $MAILHOST" - cd sogo-connector-master - mkdir -p custom/${DOMAIN} - cp -r custom/sogo-demo/* custom/${DOMAIN}/ - sed -i "s/https:\/\/demo\.sogo\.nu/https:\/\/${MAILHOST}/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js - sed -i "s/plugins\/updates\.php[?]/thunderbird-plugins.php?domain=${DOMAIN}\&/g" chrome/content/sogo-connector/global/extensions.rdf - # adjust sogo-connector.autocomplete.server.urlid - sed -i "s/\"public\"/\"${MAILHOST}\"/g" custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js - # remove wrong timezone setting - sed -i 's/char_pref(\"calendar\.timezone\.local\", \"\/mozilla\.org\/20070129_1\/America\/Montreal\");//g' custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js - - echo 'bool_pref("mail.collect_email_address_outgoing", false);' >> custom/${DOMAIN}/chrome/content/sogo-connector/general/custom-preferences.js - make build=${DOMAIN} - CONNECTOR_VER=$(grep \"version\" manifest.json | awk -F '"' '{print $4}') - CONNECTOR_MIN_VER=$(grep strict_min_version manifest.json | grep -Eo '[0-9\.]+' | head -n 1) - mv sogo-connector-*.xpi ../sogo-connector-${CONNECTOR_VER}-${DOMAIN}.xpi - cd .. - done -done - -# if you add any other plugins below, you need to add them into extensions.rdf as in the line commented out above - -# # download Sieve plugin -# SIEVE_RELEASES=$(wget --header="Accept: application/vnd.github.v3+json" -qO - https://api.github.com/repos/thsmi/sieve/releases) -# SIEVE_VER=$(echo "$SIEVE_RELEASES" | grep -o '"tag_name": *"[^"]*"' | head -n 1 | awk -F '"' '{print $4}') -# SIEVE_URL=$(echo "$SIEVE_RELEASES" | grep -o '"browser_download_url": *"[^"]*"' | head -n 1 | awk -F '"' '{print $4}') -# wget -O sieve-${SIEVE_VER}.xpi ${SIEVE_URL} -# unset SIEVE_RELEASES -# -# # download ACL plugin -# IMAP_ACL_RELEASES=$(wget -qO - 'https://addons.thunderbird.net/en-US/thunderbird/addon/imap-acl-extension/') -# IMAP_ACL_VER=$(echo "$IMAP_ACL_RELEASES" | grep version-number | awk -F '[<>]' '{print $3}' | head -n 1) -# IMAP_ACL_URL=$(echo "$IMAP_ACL_RELEASES" | grep -o 'https://.*\.xpi' | head -n 1) -# wget -O imap_acl_extension-${IMAP_ACL_VER}-tb.xpi ${IMAP_ACL_URL} -# unset IMAP_ACL_RELEASES - -# update version file -echo "sogo-connector@inverse.ca;${CONNECTOR_VER};sogo-connector-${CONNECTOR_VER}-__DOMAIN__.xpi;${CONNECTOR_MIN_VER}" > version.csv -# echo "sieve@mozdev.org;${SIEVE_VER};sieve-${SIEVE_VER}.xpi" >> version.csv -# echo "imap-acl@sirphreak.com;${IMAP_ACL_VER};imap_acl_extension-${IMAP_ACL_VER}-tb.xpi" >> version.csv - -rm -rf sogo-connector-master *.zip diff --git a/docs/download/thunderbird-plugins.php b/docs/download/thunderbird-plugins.php deleted file mode 100644 index 889cdf35d..000000000 --- a/docs/download/thunderbird-plugins.php +++ /dev/null @@ -1,118 +0,0 @@ - 'thunderbird', - 'version' => $row[1], - 'filename' => str_replace('__DOMAIN__', $_GET["domain"], $row[2]), - ); - if (count($row) > 3) - { - $plugins[$row[0]]['min_version'] = $row[3]; - } - else - { - $plugins[$row[0]]['min_version'] = '30.0'; - } - } - fclose($fh); - } -} - -$applications -= array( "thunderbird" => "{3550f703-e582-4d05-9a08-453d09bdfdc6} - __MIN_VERSION__ - 99.*" ); - -$pluginname = $_GET["plugin"]; -$plugin =& $plugins[$pluginname]; -$application =& $applications[$plugin["application"]]; - -if ( $plugin ) { - $platform = $_GET["platform"]; - if ( $platform - && file_exists( $platform . "/" . $plugin["filename"] ) ) { - $plugin["filename"] = $platform . "/" . $plugin["filename"]; - } - elseif ( !file_exists( $plugin["filename"] ) ) { - $plugin = false; - } -} - -if (preg_match('/Thunderbird\/([0-9\.]+)/', $_SERVER['HTTP_USER_AGENT'], $client_ver)) -{ - $client_ver = $client_ver[1]; -} -else -{ - $client_ver = $plugin['min_version']; -} - -if ( $plugin ) { - if (version_compare($client_ver, $plugin['min_version'], '<')) { - header("Content-type: text/plain; charset=utf-8", true, 404); - echo( 'Plugin not compatible with client version' ); - exit; - } - header("Content-type: text/xml; charset=utf-8"); - echo ('' . "\n"); -?> - - - - - -
  • - - - - - - - - - - -
    • -     -     -     -     - diff --git a/docs/third_party-thunderbird.md b/docs/third_party-thunderbird.md deleted file mode 100644 index 8f018c9de..000000000 --- a/docs/third_party-thunderbird.md +++ /dev/null @@ -1,28 +0,0 @@ -# Build the SOGo Connector plugin - -Install GNU Make, tar, and ZIP if you don't already have them installed. On Debian/Ubuntu, this can be done using - -``` -apt-get install make tar zip -``` - -Next, go to `data/web` inside mailcow-dockerized. -Place the file [thunderbird-plugins.php](download/thunderbird-plugins.php) into that directory. -Create a new directory `thunderbird-plugins` and place the script [build-plugins.sh](download/build-thunderbird-plugins.sh) into it. -Finally, execute the script with your hostname as an argument and piping it the names of all domains that mailcow handles. -All of this can be done using the following commands: - -``` -cd data/web -curl -LO https://github.com/mailcow/mailcow-dockerized-docs/raw/master/docs/download/thunderbird-plugins.php -mkdir thunderbird-plugins -cd thunderbird-plugins -curl -Lo build-plugins.sh https://github.com/mailcow/mailcow-dockerized-docs/raw/master/docs/download/build-thunderbird-plugins.sh -chmod +x build-plugins.sh -echo example.com example.org | ./build-plugins.sh mailcow.example.com -``` - -# Install it in Thunderbird - -After you have set up your mailcow IMAP account in Thunderbird, download the SOGo Connector plugin for your domain, e.g. https://mailcow.example.com/thunderbird-plugins/sogo-connector-68.0.1-example.com.xpi (see `data/web/thunderbird-plugins`), and install it into Thunderbird. -All your address books and calendars will be configured automatically. diff --git a/mkdocs.yml b/mkdocs.yml index be490673a..10b570ebe 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -142,7 +142,6 @@ nav: - 'Nextcloud': 'third_party-nextcloud.md' - 'Portainer': 'third_party-portainer.md' - 'Roundcube': 'third_party-roundcube.md' - - 'SOGo Connector for Thunderbird': 'third_party-thunderbird.md' extra: palette: primary: "indigo" From ed884ba71b86d7c48c1f95a83d0c81fb79727da6 Mon Sep 17 00:00:00 2001 From: Tim <43141240+DeatPlayer@users.noreply.github.com> Date: Sun, 31 Oct 2021 21:20:01 +0100 Subject: [PATCH 236/288] [Docs] Example setup of Yubico-OTP (#313) * Added example setup instructions to setup a YubiKey for OTP --- docs/u_e-mailcow_ui-tfa.md | 24 ++++++++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 58e25c61f..291f09b38 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -12,12 +12,32 @@ The key used to login will be displayed in green, while other keys remain grey. Information on how to remove 2FA can be found [here](https://mailcow.github.io/mailcow-dockerized-docs/debug-reset_pw/#remove-two-factor-authentication). -### Yubi OTP +## Yubi OTP The Yubi API ID and Key will be checked against the Yubico Cloud API. When setting up TFA you will be asked for your personal API account for this key. The API ID, API key and the first 12 characters (your YubiKeys ID in modhex) are stored in the MySQL table as secret. -### U2F +### Example setup + +First of all, the YubiKey must be configured for use as an OTP Generator. To do this, download the `YubiKey Manager` from the Yubico website: [here](https://www.yubico.com/support/download/) + +In the following you configure the YubiKey for OTP. +Via the menu item `Applications` -> `OTP` and a click on the `Configure` button. In the following menu select `Credential Type` -> `Yubico OTP` and click on `Next`. + +Set a checkmark in the `Use serial` checkbox, generate a `Private ID` and a `Secret key` via the buttons. +So that the YubiKey can be validated later, the checkmark in the `Upload` checkbox must also be set and then click on `Finish`. + +Now a new browser window will open in which you have to enter an OTP of your YubiKey at the bottom of the form (click on the field and then tap on your YubiKey). Confirm the captcha and upload the information to the Yubico server by clicking 'Upload'. The processing of the data will take a moment. + +After the generation was successful, you will be shown a `Client ID` and a `Secret key`, make a note of this information in a safe place. + +Now you can select `Yubico OTP authentication` from the dropdown menu in the mailcow UI on the start page under `Access` -> `Two-factor authentication`. +In the dialog that opened now you can enter a name for this YubiKey and insert the `Client ID` you noted before as well as the `Secret key` into the fields provided. +Finally, enter your current account password and, after selecting the `Touch Yubikey` field, touch your YubiKey button. + +Congratulations! You can now log in to the mailcow UI using your YubiKey! + +## U2F To use U2F, the browser must support this standard. From cd2df02f403c8e9a2e2197f1c88aa371b1ba5377 Mon Sep 17 00:00:00 2001 From: Michael Kuron Date: Sun, 31 Oct 2021 17:10:57 +0100 Subject: [PATCH 237/288] Remove TbSync screenshots --- docs/images/thunderbird-tbsync-caldav.png | Bin 33035 -> 0 bytes docs/images/thunderbird-tbsync-enable.png | Bin 40052 -> 0 bytes docs/images/thunderbird-tbsync.png | Bin 22902 -> 0 bytes 3 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 docs/images/thunderbird-tbsync-caldav.png delete mode 100644 docs/images/thunderbird-tbsync-enable.png delete mode 100644 docs/images/thunderbird-tbsync.png diff --git a/docs/images/thunderbird-tbsync-caldav.png b/docs/images/thunderbird-tbsync-caldav.png deleted file mode 100644 index b9f60023b785de3e10383b46d51081466f576b24..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 33035 zcmeFZXH-*N^fyQeBvK>N5r`lty-1TDsR{^4la2yX1cLM)2r5VsP>O&wL3*zO2>}a5 zKzb1*p!6C_Xn~N)Q~vL}=F6;^HS=ZGdOonYH|O3{_T6Xi-}&u*&MTw)I`lN0G-PCC z^mlbNACQqz0LaKFhe6b&U+&I0a*_T4T%ZO}GP1fP+Ve+Lr29+Wx|Y6VWUK;z{gK~& zaDA7IEVAmZCe$>@ZaW9~-o|XMcFImwMEHA!1hNLt$4WGIzHF01?q zVOQ|}t3=M>sTfFbXg={_4Ha3W6Nti3n~Y5NB}Cl?@c;G}LGAh*ne)J?d9I;0tmGMI z0xcO?9~eMC{OXo`-&&bSs)+Mwr9rowq&OMbbq(;iZ~V&k{t?B};7`7{Phby-7$N@n zjC@&( zW!qLL6f-Nz8}`Ybf%`&1R+ens0)zsz+|;qzeW0KC<@e6gk-7GsE6 zlQJTx800i-=U9mIkIP(fsXP{U%*xojv;AysSI1{}@z{Ajid&c>z4y(ambBvpM96N& zmWC}b{eu9kAICy)!r-6PN31IUM8OM@aPOM1ur>bMl^2wecp%hhXfV6M5}%ZF4R$z~ zX3>sIZ^0*~HrwKR8){HOLmim=GXa}7xX+SOGn9@~83;bkohKY`)Li19*;Ugv^;|Fp z^v!VlestZNm3Hk`D|$MTw^Vg*T{Kseohly^(A#dQ$o5M-{2ov0D_TtQ3ogOFj^n@} zV=}TsMnryYg_?rGhoD#TYb_Cl(a7<#b|j_>jr{3byZUqk%cc}y@od;mvCK`IS>o`Y z0S}(8EiyWtVJ03l2c#wlheF%f=J~fL7UlzfvFv}J?q6Q6%P>2M+n;zgxO8}FN;l(! zl2h*h{CneaI7)>Ys1{<#z^$5^B|)om+OlZgIa`uasikIe?vof3pKs)ZTnLXWd%K!%eU z!6Bg6wIK^bdF^K1Y1Qc|Cae_}I9lf|T-qD?Ks`|!T+1bGeLG>w8v}0wP}Kbg+lqII zbz?{v+gh;eVGBJzA$KEZs`?nrA@l5Yf~Z}03nSf~!RgZ-MImeXdm+p%sq*6$5h}w^ z?YZ)uTHLsO&#v& z5R;Hyr%k;&_{NU^plG%C6=r_XrMNf~-5>fw?a_)NN0x=)T+DK))b5?LAEU)zX5UzU z>YaU>Z1?&iH0bvoEOJ%JFa1cECWKC6w<8>E!+RZ6-v9ec4AS;IUT&p7In%I|{nKP< zC?p#U3jK&wyl=lFye@Y-B<*5Q&Bn1H4rJs>_1~Pld-v`uIxe{Z6Cx^t5Q0T!J(xOx zd4K`_`4J!OA9mQHKF{ad{gz0*cIxZ&x$^Kqa!9tr__)AmsA)$dc6O*?XpMqH$@2ws zIe2*0(CC@ub$Bz5T@H%bx~*=vHLaB!yltQc5|lVXTtkU+1Nh@ugICvwE+fwa4A*5G zQt2cfvRmEwtLHi~4Bzh`x~sw-0cGFWZ=*+ReCSNe=M{$!MxNFA`AYFh`=wF>8G@n@ zBgrY3e#h{pKN-vl-asF^;gwYk{L3~^<+VWwMI-F@Dax?Ckr$)>Yd43wP8*!g6J)y~ zYf8nvp|k3YxJA9G-i5ojko|s~lBR8R972SiG~ITL#&YXXPSI3spLDU4*|+*`ecNj) zzVS<^0kB|R;qjiE>}rm-t`ZdZJBLBoXq5*YUI}!fglweD%5hoCrGe;hxs7+j%|q>X zi^VquusqWOF|ib@58M38{5Hn#{!mz?J3VSai`k#eOer7E<7L7z_0IhdOe}KRa^a58 zA*GbGrr-o)=&-sP(5;+0S_Z#9C(V$r=9m}Y&AT}W3CDHk-v6rMP9je)=LWa~^ z9yu08w9%ml1ot3gg!+PO|ask%U!lFrr4sp9D$S~s12P6LF5 zXP3TpIemZ}CdZWLqp5125~(>9H}7JnDK0E75g4z8@G=kJt0>_!xER_)`71LCZAR2- z7aFWyy>E{hcl5+A+x%{tvU`gS$A<3z9Ey;WbJ!fi1=pZ2LfkjXO-S<~0Sss=I=+Xr zL32*kd=Cts=VZ@P(`jR@`E@1VelL(y#*_dz`j%gFc+5xlV3ppOl9(Si*1r1sZPb-} zBs=~9RuieZqds(5%YDXp|NE@Uaup`J2)@J4A@}4Bat>aK0m~ zhvf~bF*e=b3C?!xpLnQ@{Bh5Ka@&@oDkbON;-lmWCEl><*o#UewtfvgQ_ovLzi^oM#g{jI5FrbV8WtMLvp92LTl+T3pA96T=QG?9&XxH%#itt@Db9#>PxD z{?)qzJF-&na304nc|Q7HDf*hE+mSZbGjiukj~U&rSyKt;!lANHJZrGM{Fb6qC631o z0%PP9fE}$#+A4<>aZk}6`?ob(HZ*M)D^Ulo3KBg=1fgZpjXtSziNk=v+rEI57U0P=LUwr-9%cFQD42#MzF!MBcSxm)zE~{L z%_t~LAkE(ZE>&%6!>qEECe3f%qSyv%+m{K+UeUfE&lZeF!+Y5|6sy(ui_`Bx`#gl+ z$ypH4%F8w^lnq4=_sW>dAvd$y@3umJzt5M$Rx6lrA+Kf*(cBLV*IK8|WJn z+kB4SXLX6|jC!kxS)`zx>H=`L9dyGlr-3=CuQT4_h&6j!2VEA?>mU&F_#vb$MB<2BoCU|ww_M9U_QvuScq z3(QiLU{o%K_4x zz!_6^G<=`%lGi*MOxbc>sE6F3lzhnH#8ruku#f_{uk=t@o7Zs?DfEX3M@n;gsg^r`0S98e#h;w1&AZ7p}Yf6Hk#!RLcJ=THe9S)Z zfGBbB`B6R1%LRXLt=`uf8(Nbc(R}d}2F=gVy%$NE=Dc7b3wXxPmCS(07^*Q|hVhd11Dpl@*gxWVNJx)@FLh;(dY(Ka`I6XY zHR?dw(#?Z523~$j!PMT}4?Y~W_2a%lBg!0-9hzV{nH$P4v9odu&RfeCau z3R;5qCt#NbOexRn$H}npFV~8Wp*>X(6dYeMues^5-5YuDzu_kj=i%5|lREjL;r`xy z@!7h0iu_8v{zHlS)9{paY;3}`_^5T_Y*7wPgv)p)QQEd ziPU@7DS9UL>Ripvm--O62|wTK+23i$exIzeMo|I=vt;$U6S-E)h?69_9PP|m@0mxc ze$Q8}O;$};$4^99h0m~9*!(sqESU(U!8un*lc1%0C9&WR;Wom61R7dHzS%EqV;JdI z+#{zp_?b4MnGCW}(Ea}A5TFpr0Q?P82CWIeuOAk+yIMDp${Z#(;=uw30_Y+e8oiZ! zBb5{GDs)oG=33C-TV`+6s`P1!2Th*Un$oORN*T`fQYk4?%T=(iRogk)D%mX+Merq+ zJqsylTW8&7>oXxvL5I~?05jy@q2Fy-Xidi1J62H9J_}#Mb9qs>?m0Q?rKGuhyt8n9 zIVtr9-ne$_2A|T*&5U^5y2Sp1BcD7*aR2KV-{OtSREf;olp(*~Njt|KH>rg$b#i%q zg8on=h7EDSkj7R`?gBN){kQ~PH4GQ>Fu$rq<>F-V3R=6AdZAS#BE+MU#qbA8h0X-{KAAV$1kPr_uH%Q`PI&T4lSXHXXxd3j<5H|;Y5;oPMg0tYS}MQBiwEC zTjx^>*h`Nvjk{{Ae8eCiF0(HQ704u>C>8YU|7e`%UU82*43zJlQfU5RY_r zUre6)YBsBsP@mgZfONm9hhRIu&&O@Km3(lBD+QMH&N0T?_`mICk&m?rN$i!Ck5|S8 zru3O;HDh%L!JNWaG_fN!EiD*GJK9c2QaO6K*vVrC=UQmntTq|^bZ4doCUGM-=tJ0! zZ(h7X$-j#AH@qnv%RGk@vBbXhl00!kHA3S+<}Dq}Sl**&%p@tj&TTVAx#x-6#w4bQ zYv|m|=;B|hBByk0KRaAkWW`-eG&s0qWmF6w4Jr%7eO^!=jZu%VegVb)=69YxQRc9h zG1zwzmEU<*>X*ShU{%1U{!L^3G1fr~lR}#~Cg*i6bL6R(*N-c=3tD>R+g^pWxA)e4 zCq8)QJ?X8+nqEN;KLlQ^Qu~36Ch`P&O$urazC}jN79cb>D6oTI%M$8i=aSN!Cmp?i zh~`qeT!-I@*N6vHAKg3Q7iKA3UMy|_C|)WH%uSzD|BXggz9A$;I{bDijYomc0Q65Tg9I>m4H;1Z~zosH|X%H+a$HEXBUABf5 zXn$}{5<}vBO6t4l%Z1Ko!-RryY?c9*M6ts42UyOxf-k3NQVL~9F!!>tAnK?SNoyN#hPTlc$g~@OjazZ8r zH^_H<8clR0$bN&kukd<-f8rB*%MZ-J=Sg_t?TvXN^UvFMPHvgHY-U$m=1p1y)rs~M zi|R35Re`T?#v;v*C8{2e-8+Vdhx0DfNHY=@H6?TNMp@F$69N`)KhyMdH5_7;Br8AX z_f|e=vjxvPuj1dmXcM1$pUU;#D1$h>mXh>-kenA8801Y|5uy)Ts zVpO_He5syMz>jR9z`?G*Te%`bsGmMyGt^HvQ#^8*R zjEMuuL8ZH>*CDol!RRQw_cuK7RY>9wi${_pXWLP)DPwfcdZ!rX&1;Shr)UpbF6kd! zDrfYQxo0pN?7buweQ^PeBf)Kmh9Gm_8iI+#M8-t$e&#ZFiljXnpI0|1>C83L+C!BTi|<-LxPHUEAe;az!ci2)WcL8d2NyLZuQPT+ z(IB{m1y{<5n>AN=OyO`R{L17tGa4Z4t1Vvs{T=m`Xp!+XNsA&Kc#4`D#AjRVw+dwe z#HeHw60~5PLauQR<5rI@Du?C+eFyoD*@uF9;^_k43=Rg&pD zRoMPg-~Q5DL-Vba(tFHcz)SLu@-|KYzTzeRM*QIv)gg?1ZSfM$=uv(W8~EygQkgEh zOxbwoGAzq*_}Rw_GpE!LUOu{^FKVJbUdF8nCS8)x@Y0zN+e`)5Vf6Y!Bs%LVHaZ$l z8Qp=`cw~38Jh6*DW_kCFx59`0hR-n}4R-mR>MgLDVWFB$X_DdYxG!J!I7L4613I8ojZgzT z)&G&FX3r{NCmI|ayuVhM6cS3?aW;nyQM0IIRCfxYRVNV+XWuP4{uopo)2#Jx1dCcV z_Qq3=)qmLVAK%;%20-b>ZqDw6r#t9k^w(v5-n2YLYrqd+Olw1AxZa!vg7hD6*^^C} zkn5r0RmS%UgYmEKM}LON7fskJjq9jy$-2J@)Q^^O&wSxKQ4zsHftRNhj%Zh>zlb37 zxR+CWVc+rX?3el;#Q|w)23kaU&x`mJG9WrKqajtfE9|mW80%d)L38HEm0%c}Ci2@w z3*CH9R=p`bAfBPW0L2?unxDpHVlSo-M@hb2hkUZ6>VoGUGd=*&Gljc45ZcLs3|D(g zFGM3Ra-w>8LI=+F_`-ihd31buXKq*_Q7BPy%<3^++m&77_Ll~rIcvXBLK8B|S~-PgLmfo0tP35b$Y$+@`qht`>|eco6q|AOe1+nbxx z5jqhzFQRlkCZOZSC@h~BupXtVc#^G;b{_sCp0a9x4RrMm_S(rrO@y;D$hdif^p)0v zp#dc7z?8Sj2wrMLbT4=v6%c-=N8(BzgwnnYrVRHcEpoc%lBiXtH(P*j9y>%Hn|xQ% zxu06Cp>6&iRE)J}VLVMyucU%DsNLMiU}W?7NX? z^HGJ;_|W-K8Ha=@fe@VK^Ta9aI-}UTP5NJiZiBSnFPx?8gHmvLk_K%IT-=;X6(2BH z^3jtDKHvFZ7vVkkkM3x|Cn2yOE0wRGMyB0)zm1JYHW@8_Fus7XIdK83RJNzgG=Irj zI?V{OkZqbV50uj(0#{?N+8lRW%`IWwePEr^Up=Tw-H4fDs9_2|d6r_MG8XvYDScv2 zd4z$~-6^!Jkr@bK<#RsJgz2n8QyCd`%+2~r`g~`Sja(&hYZrE8sKCxz`A%=UJmXX8 zCo?`U!^qtEubG=p&uQpUqGO8rwy_60F&9(7!xYe=HFZex(2*yl%67&)tDD^YqSXf} zIZ9d#rJh)&jro~l*7z`_XU$a}dE+Hs;y&0l;}{$iBW@1$p3T#uW@P(` zw*UIuzQ8weqQXM&U}bPQ;nt7Rln|Z}yJT(vlzWY!o)Y3bKX;ZB-G#XpLt<|53F66J zZ=VDau}li)(2Q%X8;y5lPln#u748>}MRwV-ufasuD7h0wY?rqMB*kbO*ap^MT+Cif zt?=?*;>Qlp{3O|AH^V4Zd&3eq_%3=`@<~o_aiTDdc{#h$>_U=x*(}npxc3VY+}fe# zo;<_{!sSNcT4?RCkO#%?-+miLw8!#TXeY2=Qwcq)OlfUxt#@J6`82?a$Y&VO6B_Qh zK3ua)m{(xmLLJv6J#h^YDQJl!Bea9?$X|W5MeS|xFKhwaSMZVAc#Zfv7_&p#3#aCe z8fshTrT31!1Cdr*-jTe{za6(zQeXK?zGb>^Oqv z=b8B(VGweNCROzKN4BJI4&7khqHVFujwX@vd4v252B+r}SKgeiCHJNuYrZVCIEMEg zBc0VbF+mS2aUz$*Qnk48@c+C zNG9B6TB59p(*`RGW!Y&kFJN2^_G?3mxcen!VTzY&oDzMZ97O_khV2h>0^_q*y3l8N zw{PYO*M|e8$h-lhzCBb)KI4_a5vw$y#K@7zOJhsh*Z5TqjcE?uUPKLDTI&asH;Fj) zV50fTp;|VH1jEiz5)0Bvpy;8rpsKJL{1>y|(HzkMj#D;r>T~&0JUU75`m7$fy zm@;eaoVvtQJh2u1rECZI90Uz6^e={x=uyYB!tHGq4h_K^S4X-RMZ}{#B>-?*x}mTW~^lV)y7YKHip~yTC~nDdi&h2wU!+~ z8;oXT_F&np9I$sbZe5;1xIWLzLCO|crx#CuiF%A_&M_n&)LCMq^LsSZOr&;i$+8pl zcR0Lqiyv(=?y7~kX8lISmO*bTR&^wns~X*qXz{;w_!TyJBTNwrzJVgG-mV=kSWM8r zR0GLj58qO&+D1N`W||n!bOQ8!a*idg~za?_Tk5mrap-rL|xo8zDob#`0Zw41j{uL z#iS(|8BsWM^ViL)iTR6MME6NEv>Cc!Xc0;&3pEPgcwD%y3vP6EL~kQe;$lSx{1`Fo zJhy@NFPlsVh=VN^)Yaj8W4|K7GCK0Nn+c`6cUEuys+P{~xoLvw{V^T!2PHkgkrM}7 z4#^8={r&_AL$_BvaJ=Ze;wubK)TyBO6m4zq`uZ#+;0%c1^SQkk?({Hk5)-27wK%P) ziH+W{ei{@C^r-PEEDG$Rrt?rv$b*7BZ9Zhk!)iqWo6h9i-eyal6jQHuHr^eRF}A3G z++kpKx1y*^d6DPs_t<+pe$x7Ht+c&Shj^;8X-S>p#QPR?m7OvxEz%#x%Fa~ef46B* zNhqRCx0a}PhL&bGU5$eCT#|kVB+N^)9MG$2n;gT6&%S%NQh>8dr!X0%EmsYcK5ehb~cIjaji8gF&hx!rv2U3 zL;Gf!%;p`Nb6A=eais0b%*wz zr>h3#LwEk_z&&7kj^7+=*;m(Za#K2nE`KTg z62n__7u~Z0L00&qTLThdRvY;4NsYN&vx~64%Y6QGcc%KaS$OsEM`g&tv9a}*WQrD@ z&*2{pX;pd7dty4oq7P(#t-P8Nx?mqTs&kC+DDQv4$`pnKzLIEBHHJrba$Wr#9iNdQL}UHcFkvHFDF^=Mn5)-g{hy@Yx$i$;&J8YO6yeT6l@xyACT$z#au^U z@@R46(M-N`LkcYnaz(zpY}q-G>+B!_HeQ&aH=_`%8N2Eh_(&q zd$ucMGS>43&a0E*@<}YQ#d@QT8wE$YQ4YQMy2%V5cycy1 z0PCWo>(}SlWSg3My=vp$%+#)JX2>;49mpFMC)$NMvSM@vY7G4x(`D2Q{ANyGN*Z`C z9PP^aWO^m_o-e!N;Qv?-m{vmV@g}8=f_D!iZ?_khxqbnZ|m#s!a z&sFP;4|^VnvM090{0@*;?O@u;TT`y!1iTbs4&QR(2ADn64ljtHhPs05z`M*!6Y9PD%w&=M265s?tB;zgemlZvQUM&Z_7Xvpv@ zPj+c4sJkO8l6a?B@b!?0fm5N|+=5H%`{+OpOSg^|F z{93^^^jO>OV-IzCY37Ox*SilH2JbBJW}XW;ejWfz|NWWx z%d)|(O`L$tqw?$2QF6WmX5VJM&fj!W0%?{U$ZM0eJgGqJV$_? zJ9XG5i62UU9<(EGb$m!dd4gLLvJAhW=_#A#r%lgil@)^fU%h9wH^}@)l zOWe3{|Cwih;uQkH5ua(Ubze6r~g2MFhO9O_>?Xa3#ux?^S!BAJuktt7EX-ns!i6bI=?d+VFX z6y2|oQDh`eJn_!jjm)$Q=zI=URL9Z$GyUL#_`QX;BSz%cs zCm^a>nk?*a`9q7AU)D?lxn~ZT9df5z&NXdyz2O5FN78~{S3g(!W!~qMltm?&lj|Nb zlw4o+4;tu?_UNnVXWPE6rXWWQY8p=Q&h5rYm|}bgr~Jmqtlbd5ztws9bF7P}E9YXT zx&15E+)?c*GybVgvkq36A6i(El#G119AuAa4|i`@b%-sBePW{%Fs2 zjCcWZD88m*2coF-wU&>^;)gb>3apy<`h?v;1x%UpgCmmUO*(3s#(X0pFi1P2m(k_hBJ) zF?qCoFukA#kTR=A65;t+L+}sM0_v|J0!n|aeWd(9wDj#n-I6U{mn4gP8{%WyuS> zi5Ou2E_G!hnw)OOE^$k?*K=`5M8+E^*V#2Tc2FGvHmwZwj=pM>x8Q#X>73jc`p`2! zn)n=VC?|C_WB@>?(p<5h4t1DWP=3SH^AiaD?E65hMr+sSGO48jCVu3jXC?Vp!7z z(Y=BSA8nzO0hM0?6r3rKEvmA=W+?&ke2H=+0fVk}je>>CbMa}rCuSr)&J+MKA0^)R z?$k#sGNAcrV4YScW6!BadP9%I{zQj$Cpr`-R!fKbknB)c+d6*z?F2ridD`+h<+$D! zG#@*4VwX3}gZK_KS7t)K9ZRa{3`{&_Oi%*e*`-(?cWQSt1~f zBT_J<1g^T_NZv*tp055E`qK;F=sZt8)V%y-?$u&I3EyAeI}V?S%nKrjV=Q{4t{D(AvKyqYxJ{~T0RSNXV2dCldmjl=Z`1>mMPB*GzL0rSAjn3S4H{~_xC76|_> zn*Liz{+_Zfjj zL(ZQq`uz_D&sjsu6DrCKz|R-25C6-x%h+8)%%uEJT>$8|?mrAmq6H#9;QHS*Jfd3! zYNYfJ?Eqa&gOqarqh$Ge_rT+?|6%Bdg9JeCI{y&+u0=m`MA{`jkTsr&Jy zz|CJi9-+OGC0l>+Ctd?8c~%fJF!tE|e|qIJbubk3SiRo`=q~uL*!Wg|q^Ydta>Yfx z8q7ZU8O3?;-;rs4k*Af*3(QU6ksDA}c_Q}j^9%;_qU?LCYW+WQloH1rkN&Ni-w2*u zYuR8#w+3TnW?{)J=@GvBPet_hW57$NPoUfXbN@^B>0{pOE=GD*?B7n%Ps=`ani9x(j>unYo-L}ZB=y8x?_c?S+G)jh7|{hmhwBQTSyguY zD`LqxB|leD>J#$9w*UEH`Pp)Pxy1$=QnhRQ{io!Gif{gHH&-d-i0)hGj_;2YObzn! zd)B93RX}pS$Kex=bD!}~ajS_3UaeZBjlM2_7g3Yq#*eEM0;{(=77#|@0pi*G;Mn7; zzs^efu$3eIjrbe#C0NJi3nRPRZIJQYJ<{)Om7HP6valV-Ha7dM@YQ*Rxy$1?O6{)RBnO5XpzM+#Z* zuV^rS`>;^DC9trKC=~wdrBD4C62}bqD_3JtD8MOcljr6=jJN_RXdD}RbMfq09_=p~ zSp5v&mfS-7y1I!KaC^%Cj%MXlRi<+0^aQ3H z8T(K|03@yCzhTPZceY&s4IXM;#p^K0=-X%S2Xu{Okizby6I|*WN=tP~nr7$ffXT^z z`o39inba`}QpfJ=f}OCqULc+PoNv;zwi&;@!lak!eX~?LcBC_@a*`pvm}lFwG1M-e zw(w8hn`ss=)8$t)T@uC~&5?p@AFeO~epaAgDkw>-!y?uN78{%XAgBtQ-So7RCUGw3bvk~S~X&Z>sf6hT92!MV~r03Nm5vQ4uDR)_c$4c=Ugpy zJq!35Fkx1(ocb%YCfKUdgp^0%cL$O0UTxJReAEoJy;|Cf^Z!DXr1IoF>!$fX9W8D9 zVi$2+?jel0X`eV|J~dHg^)0KJxqhKmF7+Hwu`c5ZR)j?kj*iQ z&6L_02oIomcF@oIqoGN+S2SIV{aVE5>xZQM2$41P+E7XA53A1nP$N7M$A_ArM! zNVkzv5O0N%-TIB!o*Hat=$;h|Q7Wp2d(8Cu*@2xO%IlBI>}KB=u|ZA*onF6$$SRwc z`^#?Bk+%v1MdB{L)~RYfBia52j1rg-_vh=%;HxOBRER=(H}Ik1*eo>%u#=Q)*;bkQ z8&vif%uYQPG;XQ_IuABwpy=AnlZt4xq>2hh)o06vw4b!(x&3^XGeQQk%3&X70?1mx zsYd*45S0w(jU>fGp8OeJ#$Ai+|NeboOlN!^03n8Uin|xU%ze7!p z{3|Px`SP{J=-}ZH763+_r{m%`q~1P*rh$ecRM$)bL{YN7`3Pk%dDn#5RGzw#1Pb0U zQ(;rnIZF(mhO|Q}_?fCL`OkQQAOSx=%zE`-h{U~119TaW|DDEo1iDV=m4>Ix_FUMb zZmC2-&Z26LNV$KJ3{+8sHq&=z;OVIfJk+QRZtdhdC*>|lX;pa6km5 z!|#nxp`m~|FaV(Y{+CFtd?nht`Psgy)>xUvSif8j(?41kk4Dz;PhS6fMDF;U=s;1@ znICEoncoK-X)tn>9E?kO56Tv-k8Lo@F|;3=cRYRwB#BKAR{Q-AOSnV+J@hD@t@dEa zpZS;Mvs~lC7df1t_@ax{re7MyONfO3+&yn#q?qmGl4*Ls;8!*)+}Lw{uMKdK12*0} z+y!3jy1hKq%}JL6jr&N@8#uncs$9l05ee z8tvgaBO~M5)8U`&y%qI!h_N(3HX>Uc9%+PSah^6Vp*NPy7-URpCW zf5FO$Y*MmrP7O?#I4+h7e`mz2)QLNd3a>%)WSjSN#t*6X+ePt1{&7d+iFj1lSPKI# zhJ4<5waRNk*stwE^3m2bIX)W@h~dZ*_e_h}1wFm~@8dbeFmBhtU!gFMV`3_t*uG!S z(Q!9_Ua%JrOsehv*LlsAlXmB;G}Z;c7GS6|coxsXt>=-s)pOy;dvaZu|2hGZk3l;ALhw=wu47nCP_}3E2hC^NLw>TU+ws*07#!!{p-ukj_@<^2>IcGic0#F75E+N z^H_Sr+@aVV65xCMp=-5a{WPMHzFLHDazK$DF?DagCa^cvp^KxXP(U|!|Uh(_~|O#b%3 zZJI&(x9k2IU$ZLmu&`3yDPtoE#KK3n_NA216u}Pe@K(6CMJw9$_D8gGsv2}A)kD^< zSU5{AB-T}K7BY=;jPVeX$oS^&D1BfEfAeBUO=7b<@omo2$=;pq*=24Px^=h1b!SFp z$SLtaO?u}bFXNK^S=NBZq`tY|#`W2Bv9~Jjc3r`<`ZZj9lQx7f`0p2NMHV%7hy0-2 zyk_Gp!yxVI%zdDnD%QQV?A*PzZH>`qZmnl|y-XxAqb#mCk%up9P!M!fYC)V$m&mAx zpKHXy54bXew(8!HPU?|f9MyB)GcoL28GZ1xDcJWLPD$P)Inku#J5KE!Dp-1x{cPQ^ z|7#80_TCQ_3s%*OPaZjH_88*>I&uF0CGyqW(EA}rTb62wg;uwx%jM_j-e^7EAmdv)Hk<&B(uOe zgsfM8Buex+gv^2KRwmmau2qPIxO1gttO#$)qnObC&ZPFc72g}#_CXcPYaVs_h>;;TFv{I^|j z((l=tGTs;QEcN_)=%v7T>og5^u5RU@_e7cT>5xY>>A;O?lxOyqQS^EDd6-c9nU|3A z`gM-OSBAZ7LlNftuhr~|ZT(Uzc@&JAE8K9-xK#$$z-{5v4cs$(LOC12(Nvu|Y}5L| zMK6E7Ts#V}?%yy|Rkl6nhyIz&p-eY$9-QZ}> zWjNHW53LQKQ~cTL|MVN0bm~EX=gjp@ouu^Ez&U}prl6ou8r1`iOz*8a>4V~IC;$15 zdK26GSb>MPpMB7`h$a>h@e&dsKlKE{c!^VYn#K3HA2}NR(wTPh4HxQu@SOCcjgK5m{*0 z&b^r{kde@#wR7|7HHoeB66L1DM{af@(eH1SW-415-5g@ANp}&9@w7$S*}ZS;|5RB@ z+R*b5Zlt!(K_r@S)m}pIJ1c@@{I5_Y@`D=X&zE1h>p+Vk!#!8t`5p|`ujLU_>G9K) z*>Yy@TY@jbEQ{qtP425&cEfjk?U)lz2V9EQQcaMIoExw!YmEHWJo5MB;HP@nFE129 zja2i*jsfHXVz^$vcuK51ytDMB83SVJ05xV(BaI@zspxGPV0(5j@We>|tF{aXx$M-D zi1b%3uZbf8`1AwHsoOzn&xdN(J?FhugrU2x#sxCG$CWlY@I0GLc!tgGzT>#Pz&>Y3 z>t0L8p=7mGdjaCid8BgN&XCXl(bIWHHMKQ=UoQx#ASfar)dGlADM7lifYc~eItl@) zQKTi52q>t4NDV!x6p<3Cp@n845PA@#gAhV*NkBpf@A2N>^JXpn$y!vC7$rcb8PWt=)%o_ zBBv|Z;+6yLW0vso=i=AR*rINj@89naj=W(vc?AzhZYwY8KXIb{G?_!o1A1qzgi%u; z`y%!XsDyx;_KV%^iK05|GQFIVr2&$Y41Fh6?j(QLf=!hxeIs0ow|P7DjfZ3yS<{R` zK?|V-RdBu!doWCIx=_f$vSQiN&w!tit^OIm8sIGV{NEXjH75EujP~EiwMF$qKSnqY z@tm_V$Mi<&4PzgPn_|peMHtpgsh~A0nz-WhPU4ZO30+md-#@<>5B|%*DRkpyMar#9 zS)T);T4bB8MIRv06WBkZ_3pDd+eO>s^R@MAMwI%V`SJp_uCFWWDJ`Ym7u33&Z_DEk zYqE9Mz14$;Z2YX&GyE3%ojNh>Xvrd)uBGXUf9}M!(h>mtVIqXf!{)qSr&6Ei(q+Me zc{9hNG<4UlsqGkY{sU`{@PHsB8^u38KvT)*%`z3peN}$y;lF~(@b|o7Col6U4lEwO zeVR#9uM4Ba&P0llN@L%kZ`eAPJo`v&*OA}&WARebbK z3Dwr`?6p*l%zrN9L}$SbkNQi~^uKo0s zM_>V#4Kac3vz3N7AJQ<$Q~)@p=V$f#vr}_uy{t{;Z2&uV86b|P>@9bGW_e#)YP`^$ zF_&@bSTgWRw7-iK*mS5YmsXyPTqMoC|82q_R)DreQrX@vp0L5 zdNDBmO;I4mHB=R!U^$Q%bTQkLrQUcU&FvhoOnM>H=jI* zgZAgY{?AzkzkvI?sN(0pJQA%r!x{}X^b+>}h;c0WLKstgj)+d1>r()kSj;s*m1@d8 zMXqwb&>vho#}#A9+y2=Q8`i$&9$GpyQwy5`+~XFv_Pj{*b@u~0tx``r!n({>LdL3e z^SATTV8ImR!t#y&5bkP?GYdUg?kZX0e~iFl_1+U)+Z`ELLe4Yh6>OjP1*|blUd@5-Do|sm+ADHQ}y)uFB%(!Kms?3%vS+slbl2JL*Ihel>A&C zYn>Gydog%ifA@Lt3eULmLm~f?)2svIIsw{`u<$WF-D0;Ewg{O1Qi9e+00>n%?>+3q zVg_*(Ve_IDA+0f|zPAA|?9JVIeSFE|=_VR+^CHCndA5}yGqq2495$dr1 z0KeYnZiD%K5YpA_RmZr=sfH3#95nI@H>x58F?|`dFpg=gf7pC z&I;ZykKhqUb(LDBruC$8P}}ye=Q%T?Zan+lXPSZu{Y_+zs4Um9xW3jUBXO9Y%y8kz z{|OTdr4!8L^n6?gps);EWr z9nlBY;Gx=`)Hq`dY}s_{lW2Lz3lKhq?NcCtO}M$y*_<%X*QJibBu>BmlWMO;8u0_L z_4CxDMffF=tgZtWz0Q_xGVnK;R)Xw96>XykC%=!!{TtPI_+TC%P_D9LqN`%WJ)IAl zuqPu?BO`sf)6J&G6L|$&m7`y(;d~%3)-<5}tTCrvhf0!T{o1ut#Z>&SaeNkH88Zgo z+hI`5CaOIizk`$@zdT+Bj)z|CTuFQ)8u)G@-*?9&xKAO7!a><*nGCYo=2x+rY&Y3K}dKr^=99L(km0RMQ9?M8t`7>rBy4eU>PUeV_*Gy3tE8!!I=xMRMwE zJ(B6ceS->$_oz2r4y+A}7RR@7b9eH$IPHONjR1W+xQ(k-6d;Au@Shsef0lDY1Z$%mMMYf{R9%Fw>$cAeVAGLT7{SjZyXm<1z96tKf8KM0f z{BcCH#`|(0-PfU1~X}+;`6sHfwrJo;)6np{+0sG91$`$ANdm{n-M;>tMj+-0ur1}*;z9iD;T*r}vW za*hpnEw}AT2^q_2SWdDGSXIyBa&EP{Hi5x%jHe<`H3Aa zOTeqQJEaO-I^HIIOt@A4(RrlY;k{x%Od@~oUqfE!cwV@vk@5DHvrAuYnB!Ud!0n={7H#w0diP5l zQOoJl9MwXF5Y!!?@vam=qdAViwlv_bvV{T?>fGC8X&^Kt8P9*E9ALfx#Bqrn&7ibwT*xj0qGT@ce-Eg|VbximlS$}n$i1v9 zvhC#e=nzIo&|sjmnOy||=U9JjmU{9$u7yqW>6jjM1NQ7+1+~ZNir-0q)|L!Wzw-mR zWHeR696)b!-_B2fpW{&>@b1Pfhk>74M60Ams&_K$jwqFj@RwN5A|f=R{{2klI1}4 zz}IN^fT)?x*{_wplWZTvjjE1ER?~M+)^=x0mxS!3Z0~QNmQapYUlwKmK49H`0Sh<( zfuxn>Cco9T+J;;Qzkz658e$p@yX{JwLhnw4#;_}xbRmY0e?nX(~sTp0oTYf7}zs{GCTVr zzyGyJnqy}}_Z_|DjP~NVN{^6CnJJI3!T$`8Ml#_`KTA;af03^rem>-hi*gocz0?L| z9`xHE^DGMdS>e))^o?)O`oEf$8FJ2`)W*_MCNg`Jv9%Hz$j4&-IYcH>Gsd zwf*7UrhnyqK%ZB@QIj|Y6kECfNglZSrIU>{;RQK&KV+{rC|ux8L^Z#YU(H$mzPqI7 z2|7MAd9xKB1M+?Dw}XcIf)0osjy%E|{&$TtfiZ)`gR32CLtkQ1;_*5@j6eVE0o_7G zvd*n-hwAxv`15cIU%%%^^&QSDypF#t#8b-c_ynw+p$1Fj6xO=AURRQ8|MX{>nUYWR zQ(I$D7MW7+ljTZCGLwcOV^ef!b{Wk145gK&Dky2u8oHYnQ0cxapHb^t-K0}qFhO0w zl9KrS<}F3A=g!x(Nf z=^Cssh@^oEr=%D?68_RhU4=3!=1mQgW=l2*Opdp!fzYm6P#MxEKj)Xk`ESbP9#8(x zmmi8;41-}6j-A!fGRLRhX+0FluI1O55CD5$!gFBw71$L8nzmm(RwGj2d#}i@w9OdT zXTHzWuanNGYprM{R!+a}KEO5E1t*t^GT4`PmpujxcZ24Oi_ytysIZ$FWxa`~2)Y;g z(n7(^YxMDLY@2Q(zn+uiC31BtRLG6+IX>2vSQ}9JY$Ooa+1N(-PJ6jof$#Bo3bQr_ z;%if(m7ep;N*e`L+O+9$tM0@}&Cfx>#Jo0{gja#e+Gui3<9!e$`1YxCPnj4HHu>uc z^FrmaX`+u0Y0k%Cei919H=Ph)>L1R;>#@Z zm(w+|C8MuE=9xEh&m%H8uflE4m1ejBk=;zg#Ya6ueY@69VU}#%qV~E#x@e(h*|LLD z8TjjKW!S`}T>3`AEp(E|3hF$t0!LYko?df9==6o|XpLU~b2Sl;JZtj=jUOZ54)i}W z`pee!V9xK!z(Hm88dS-pb)z77OI68(psMtAUo{DPU@JWZuQHy3e~g<(y!N*VFRjiv z@Yvg(hY+fcb#%t^_9oZ5FdzSKT&33FFD_qCj9Tb`({`A#-lB&uLcf%vikKk=35~9E ztM{i=3JGprn_ZVaOd9u*mku>5gE;?`-5s^LC{gsLl!3xG zAHT|B`%1RqwoW=F#O4oURB3iitn+#CblQd3aM`b2rfKhq;j%b4VVRtTFvltT%(+oy z4|l;6!q3X!UEKoWyb+16*6jJO`Jz{cE&PUDq}R6w{c0c5J(u-(y3^7+MwmWin~uIc zATyCLaVS6G^b_mI8X-DEb7vnu>!0`%HhDS3y;;8T95pE(8V0n4+UQ*qH)^QeEF3K> zEL+|v1Y{+6)e<}M0b4PUQNFj)O%2T*-f^>0pYa^E8?w;J-P24AfW-c75whgt=S-KV z4C{WWG#5{F{r3FO>gXnPscKVm(2G7&u=1zRpvVCIt~Xg%Lfbve{0)eCztG1++8i_? zD#2%1Am_BfWeiTD_MO~Vc~Tfp;m?TO~YT#eINZj;sE zN-u)OT$7Su)AltY=IRIT^r0xw&P;o0H{v63Q%Do=L8EP>_Z)CLoK8M6U#y*q_8nts{QnU|_-@o>{*Nky`wYUNiS{#`pSbU#Tu!OI8*STE@m(fv#IJ3H=AtzqFRY zU))DbN1FpHWY>v?R@@#EjqcT{3Bxt02psd$2y<2kaq|XKVOndL+yg6K)7N-=_=4J{YkCd_H!Ae4 zv!ly03OQ|<+VDs7)}&p9@b=<4@D;ht0CkWrVgM8-&yARGALW(&)i4Co;z^L^k`37~-Jy>vr z%moi+obP>{RA3>!K%+zg-2bG98anmmVN|JYg}qyE`jtNHe!PD$rBSJ3m%HHcCJbuY zc~I$0D^UuZd#U6{5L9v-S6A{Jhvjc1Z5VVEUuApam;W_ic**vUob>pRUZGDjM6XQ4 zq|m$hremgmrTtcydmMrDy#2^K!Q7Ii-L$U>subUaKl}ZuEGFMwG-Vk^L9|X8Uz{kvl@Pjod`q zgN^BQV30FP#c+w{)+$+!hqX!-z?Q6C+uKj(hfbPT`su?mDk*^()s$VO zzz(?5V~W9G*xm@KOo@+`_-wwc6P@B~-g1d#=a{mc10htGVLLzIkja5}$b?i(Xm4H9 z-`SFJr%4~p{XRncx{0gKWTus=`Bv~r9bL18{h7H3edAQd2_1PEG$kTH(b)YIs*8O0 z@z}41%T3tayr6@BjygBQYZ1p|on=1}Gp$OENVR3Z8AB?meS7&cuXJL#MlQ^P5+-x` z-0DlIv=cq!p+bcye#e+XRxo0rQ0mD``l}aqBZRJ}Fg#;tq?7qlo3uH2_$lJ>QKE-Q zejfpaFBqAcD?Uu~kc#cD>(5$f-9B3Ri6S=zrMVy9S?y((Ma`sQ6sdXDf?+%bqFNnd zu+TGZp=UZozb#1BvLhpJxDsx)U(195 zn$Atfjq0FLKIsbB67k?KPH(AKm?{1;^f&WzkL3xqfr;=CbW&u_2tJQXs&l-g<)TO$ z(r`?nCowSgSw5j%fzU5egdf8lK$kRqfbEQC)MWW7!@rYMo08v z5TgQh$KqRVR&mFp=#D1%mw1J~EO`Kpy3fA?sX<{sGbG-`Gtb`?mhwG zft9Q$E#G{ld=PfC9+@y#odMz_Y;jmaH`e1|=hLx>w-J`SV}#EWMXqyyisqyCAYHSS zcDD_~CCunXOIw3bzbR4>Vz~wSLjgyjs))%W%s>zZHfS`}WxVSx7a^XY2&}$*Zei|v zVtj84A0`-rxztE;cqhr7E_9;PQ*UT3I>xo)Rd%BT-^L7 zFXV(>^vU+m${JCFdaBQM++Ki6OhqTsYULY`!YzPUYnZDtz@u1JWHV?~aR*(AWR`3{ z9bLPqtZ+7C$1Bms9UpfTb+^&ompX(btSU1oLn<*AXIIgOAA&|DaAGMvC#6CtDsnQO zfXAo*WU&DxX_YICfD*!fWDU%_Q@ zqrthH)0;*al?Nc{$x$=6b;ONx8(vb%fzt}SLD^E~yH3(&C&Oh;5^nQc!F8B|SkP_x z9f8!XMTJX@>v5)Y+G@&d5k9z!2>~0RO_bLlGh6YS5x&(Y>!;5e#?E^@tr~ZC`cwr) zxeVoV&(r~gXaT5zU)~yw=iw1|HVDzn_koKqcE?rcUX2-VZVx+jwn6xqR$X3?Ud+9Oh|11iNy~FX?CSJV2!5Ux|!8c zG;FF{%DN{H)uh9BuVzpN%C>*co4+;Y$uA^MS0w0!SHdSGO?VNG5&*}t-g*W6jw;-v z_my%T;rKHx`HPRToYa$$4BzBZtd!)(-8)Yvag>YTME}W)D>?qtswxSFJf#^E`sV_h zO#)3r?(00*{DNo5Sh9WshxZ<19`a`^xFDu3?@l6HikNn2NocW0H3hRN-{?MEQdu{S zZh~i~@u>!rqV&+&dM@1QFWBorN9)Rv!C4|^mQE?7aS-Y=;V9$)D{Dz!0hTR_{C&rHhn?0BEuEhuf`TbS6p)zuJ78nF!RZjc$5q*oTF6;wO;l^Ge4>=|4ls@0jIy<5 zni!Er+tj*Pw2@bkLQmqFRG5@Oxe9DyqPema4u6q%-lD&mYTkBDl%F0IBz9&FsM(Q8xv1r{T#ff*5YDqr6mF3$GBZ(Y>O#0MlRo7DoJIb=ci!Sq1BcJ?HK`f+KXq~+b*;ul~i*>jB)qAIqWXC255+|@78V$c? z#(1L{??USy;I^Ft3-G@QsXZ1P_V3xkX@{vO!c4hZXT01xu#~M3n*fs{Y{LWtMiWp| z;+lmM8$ITIwlV>WWXM zyA`Flo%cH$z4TgS;K^t{mkHywPea(+2(L15Z_#_Q_RfjIgv5xs=@hJ=UFTPAu4He|vZ0BCJQlDOZ>#vuAf$ zHD7i=0iX9;#MOd%WUexjZA8_TUhjQRx7k<-Msc~K7+l2V&E7--cz{8OCpw9=;s-IU zD$Lfij)C8oD##F$%eXaq1AQ)}RLD1W^O@!&PsEDK5{VrXg3z>iIKRVHu21(XB!|xU z6Ma^)-qt)H7*`5*G^7M5O>g8*AzZOJ#2;y1neN&3qXZkU&(M07?Jq>hZqk|u!4Wg++m8=1ow_k$X1PLH zmtf0S&f(g3HDad{Cu-D;_D9`2DaTq8Q5}w#e4ZW3=IAl>PZ(Ote%dRwuOF-{1p>nF z`D^TBq(GyPZ&A*}RV|4UIY=oXKZR|Pa^b+I1z%I^yAt_3f81}T!!}gH93PJjX{8|k z_h@^W1eRhZAm?ih;mbfH zCB=T0!)gzrE6|Bb38=)fsrAkPlt8-oe;1blQ|XV-r0U;p)Iy)01VE_YZo_phHTw1VVCO+MaX%-#X{6yY9McUDjgdz*~z%*?Y{r3!(S;WDeXW1{n^V(O8`RHdQrBaRaXHWl-9J)B6EDK3Mfze}uTpsmxYb$u^ z#p_FT;GkNyui-&8kB6?FHec@Acz&h%vD?`%Ms>8W9sTXsMVJ2wxPJPZ?|%9^a?jWQ z@x{S^kQD@W`vw}pZ09|ADMgD>t{5B#2V=P`l&4ax2!3pbB*G1GAJmm35iUR!>;5l3 zKj#CVTS;j>tA5(E>h~{z!;z*GbLgqv`+>th$_Jqid23hRrhOb(;Mew64J-Z$oc<28 zR#VzNwzoKz+e*J=Sj}{@2-1PsFOAuM8c`RG5zKNpvLDg9t4pJzM~WhKd{&W0UR9_n z&UNz!$^>}5Qt?`6Y4_pX{dX&>7_&Zl`Y@_wIC-$$j(*xWRFmj@(@iG+h~@8w6zQ<# zQ>)4A_p50Lu=O$doFGrIi`R9M!)nUqDItqVi$m}~*ah^xU?=nP?FZdnbWdLgamMPHaWxa+>H>0=Z+FARUeWW> z{{UXEHJSLl6e$y>^Dy#gfdjFRI^OITkjc5oJ9euX+&6DJHW;LS; zY-L_9el{l>XS1?qQP&b>+kP_)G1b|QvNq`P*G0?C{6Z3jyrD1>+jVQ71T`ZS$9LYW z?kS4lR^XU}gtgq{kJW7KEauud=MBR={_gvshZUK+N3bns$LK2MNLzXDl=El9U~#oMZXvlGiSGNopu)LGzo-Yu=(WnTEkk)?c&efsLYvXsW%^t+_U+y_58iZwV3saBr?i+Aor6oFxv2iH>nre4>j=1$agiF61CaQ5PV3MfApMq7W(MRh_)~=ufZb!}&j< z)-!wxtWVY`UuJnqt|L|Rs!XBfW@`Mr5LXXi@$2L=bG1ajFRc!(ULmipZL&tDFsbRXnTgNrn_j@Y;yaE`w~ z-n_5IA0p_gDx*Gd)+$rq5#y`215PQQot^NQ9@NR?sMs6TJqtlitZ`CiYJ`45cAW{5 z;YI8}isHZ5n zFNQ~PX^rI;?CG#$)~KX~n?d5;YW;1&XzP?qidZcRf`J>t(#E!G4jZH{M!ckv&(}YrVgeyXV#2&2QQeS-g(z^4v$rBN4r} zdwAw*gRZw@em~C?!!GPuN7a$oOT)M`0orflb(Q^D&BP{r_&`I?K_^#k)xcAV>Wtt$E__tDJ^7G*%xB@0Fej=@cTlctrlj=y53!yNh|!>>nD!Ud7cw4wL)~x* z=(~<80QoqpHbnFqu7Q_6&+pr#By!cKzym#1K#8WF^ zo~9OS5I0}8*?;~FhyMXR$M}NKVIR8IjTQWXgZuyqvP{u_Yq#ff1X2ACH}_ywgXe<+ zPH%5|n7m5r=#f?1`=R6d)~+E+Ic2z0Oe9h7uL$0)b*&2uSJwktYf#=x3yZCF6kgJ> zs}FUf^XyzlPb&{+P<1i?Ury_lt*|9O5ReiUi_6Tl5)<1WSx|+i;nRHu<~SM*yv7cb z(X`i0Y>1d`E$;L|>_YT{8)4d0s?$DGmB``WjkkN^Ys@d~`B*m? z-Md!(>!%;|$(mbNeW)BRl@nCYzcH{W?|gWuY;Y^dGZzRWWdzi%Z#AMrKVuXuE)iKzutWpPhKdiI40paOWqXH+%$T1czgxl2?B3tB1!E zw?agZHM;;m4-4|WS?Ouc<-cR2&J!% zt+lL$sXPSPwET?N`lb^aL?7B$xA2Mc6I$um*`}}~QSJ2+7a!gPjy<8Q)kDs)QMx5@TL6T3VOl@d9d-?h*Ll9OWo{bQ;l;ZW(pzL6q?f_l z>VnczJEOiS*D{K&84XT0|<^ej&@{K3S)0!69elzhi z3xaSeF&i+vv#pU=*JFPlBCv6Ylhg54y}wgjk6WPQxVK2B5xuKlLJixjbYo{%XbBQ{c^>F)>c!yP%zTg?^ML-3Nkw43{U*fQwX(sFyzXe2w*kq_oA0KzH`Or zCR9GG+`efMw<*tR{M*`ztrtf|r|%WZT(^A5t4S33{BdZgVw1!qD5T<)%%a7aptx)m zw5V3H%|j;k6*awZZJB8yrh3RWIhwTBDlT8+z~y_3m&^m2B2nbEvT7Qdpsl`zS$v#K zw=-fyQyjiE@+t{}oYCJjgARPt8v7!2UrbQd^uHb z|KYRsF5%*2i#mWd8)q4*rfZUoK;66a!M`~oa;FBMRxeRH^#=dL#0-~hYuXLicfLSav{WSv-fY8 zPyQKSmxZ$fXgv)g#}%7{cqX-fKbU6Uv7`f}()zaf=QW9rsh!RiI-j=s#Iw_hLq84Q zQf#ZxK;=@te*=H4?NhFm=$%iR&7=sXpEYfIm9f6W6+F7Hm#G6If6E9>xn$N6pJ+zi zEU=fLs5yRJb2I>AT%Jt4Nfy4IrB&cu10jMB%^eJ%-Da->J>~74y)?Rd!E{V;;}MtX&-Y7ZBe1)Nj%hA`yNZb z{uiJXh*)?MwHf?|$Gj(mB9 z?a~9M11VMs#a)`-c~si2F5SWSPk)QwDO7&{SC2OE@Y7c&e-;5Jp8UV~=hiqzvHh*V z-#&I`LU)`=`g)vw#0Q!R4==$X<+h0By~0o!yhLv(^he z+S=>D;(t0}0=+(>44iuYr1Zfxec<3}Zv44>sQ+(I8pWPM&|R#;NADSc@H}5f-0eL- z&AY5i1fn+;T)`xeGRro=TG7kMZ{jACG2<`fl(zNy)XXV@xLFohZp<#hclZ87X24hQ1~U}cD{D{er&fCf3DmaZ za*_M&p>FVOl(a=Z*p*mlXPJlJt)$hH4?1Jrbagx^_y{Prd%|k%xziv)n9+c!$03-k z41^`sz=Du^27avnea-TTnWC1o@VS(;4o%h0n>R$-#GhR+3^*aTqtHa$h(78mu}F{bWD zhp#R!guP!?x4I^;gTIs@;fn#9G&mHJkEWdR3d#!&(hDDO_SKlYYUbNo|4}cIz$A?5 zarIK|ZNZIJ%VW(au1?sPYD}iV``YETg~*9#R?$OIR+zQj4gA&&IM>CLPccuTz2@qr zGxd0SK2H?Ni`%W>^sv&y%POuB5&aeni${fqTRU~iQ zoKzN6nFk42u{h1Y4DakyZf7YjA7s$)V_Y22RsdT*Bb1jHkJ93XZNdgFHg~;gg9Slnmwyz zW4bWDAKtLC{;WazG289*uEp&YL|8#>h(43$e~_nTV;Yf|<&XC5^KY`yAaW1+!BURb zr{0PVR=ll%Pn_WjI_~RZui%_Rk19&5)rpnJ6*96&n^f-poK9QbW&f~UT$%y71@D%Ei|*MRwifJs~l5DCJ4(tQV< z!)Jmaf8V)@b!IE$o^o791SwPxZ@I;@k7iX1etmYIW@$_@%qjo8E|LC9TATWm5Ak%i z&nc5F+oOiv!>1lAGEHI5)VAD6?)rVc$k=&AZT(yj39M0L7n9kf8LR{8yzMPJ%FDS; zx3LPNn>XCp-UXky!_E9hE?>cZ3B!dOQ9wCGtFX#$dOw>^Ta z6sHB{2bKOP%%xt6>UY^-j*9&lm~xQS0msDarLB^C{x9V6wx|U`!^#6@nCJ|SzSxhW z|GGtDR&KZ)He5zov#7K0>{A65@XdRHD{N#S+MJy?+uu7CA$DBpSaB40h;3beYkf#6 zB9(1?q4eX6%dCC5QwJkA2NJB{FU_qImlLcaSv`d(6;*|;tIIjR7-38Y3r9Ijw>(Xz zh)Ow%PLY{dg}r)6Cs|J?OijUJ9bx0@^k^o*>6Arz<532y{Uyo%;jbYG_MPbP(Xn2^ zq5~mAU_|Xa9ul8Z^uDVwY6`E$3m_;y@HL)h_$f}=#!+naQf2Qp$A0d5`8;8R_RP-= zN74hIpq#v!m=%~16r3O|@Rxt6psSx02r#Oqdj)b_A_!o;xs^l}|M zz9(bt-$L(9!c@X^!VIvRr(&mLXJTi8bf8t65AunRtb2+YyiCcB7d zY1U_WRGH^MaAg{^S!I`H&QX_8Rx?(|?UYM>GU1oij0eW$8Wqsc zpkS}T5pTJ)vB(t5L8tJa!C$o-3Kn}K5Apc#$>7JOqX9n7qGY(vKueM*?g5sf$@G$M z@HMLB`KRiTP+3@5=rWJrH%iDn7JW|huF7i;P#uRYjkQ?8CdqB910L8Z0<3eXmERK5 zQq5r>;Ob+XZCxd|O5xKsB1)4nP1B-G2Wm-mD2Pk3*N8(~SGl}!IXAI!qqON-bZKK; zbm=XQp{T}5Kcj*Zmq8epeV2wAauH2DTo45L@j{L&WZPGC1nDKqI6^ft$3r|5vC;^w zPRR0H=pngI|7kfC`h95_7pcEOnL_F z=eDm_^%DKnXG2|GyzLdg7|dpusH)Wii3%TkJd{BGG~C>G1-@RHC-9pM)&e_8S0#jS z^c7QRB*ZV@E<1KQKC-Vi8p~NhK+)(i2YAn2JTn4xwRJJ?I5cs1ok^m*l)$p1OntJ# zjk;Q>1XebUd|*2J356TWR>vl{YkVd8{mUjlCy?j8DPV@u0`u&HVoam(3GCBA(XfYVGy$0_w0m_`MB~5lR1H{M4KjHoYGh_Sh#xD|5Kdi5AMzt*e zd_R-er#&_e(8*eY6sThL0U{Gw}wJQ zEp8+_yI?|3Ew0P1AZA3@E+*x899i+vzo38+&qcvyHc1SU1~J>ml59>v_TQ6;=9M%5 zhX=pe%H8-92wRs}&KX4ww?ne1@d>5Kxi)*zFM9<~R5j@V6~?qT+8zU|I^k2RbUHz2 zy3Zlph*=3L(Ae!o37hHjU@|kJipb;IhL*TXgLp=_W=^)kVO=7j&&|^3@SZ0qp*%%DGxx)Xvq{WZ%TiT$R)=HNWCF&M3X9GfZ?o}kH-(spFY2Ne&cNTB2l1=z zVl#xn2w0l*c_$xJFsVH|`NFl{Q_O3XK1lv?VSQwMMBru%N; zE2T<<3RV!2EIp8eH|29~;Flo&D?VG(tG!VoG|_~N`LarF<8PNb#igXgqD6rgw^vrl zi$!?vbZoVmHyEM^c3q}Px<$rJwzs2Uj_dZg{d%96kFO>iaVOlqDHDo}8AY17jBW&; zk+qvcudO7}7pHZ?h8vx*k0V=usgl?H@!b^6wD=T-h;p|`>n za!YQCZT0q*Qa{eU>E#{Lw3K+)l2L)qyHAs;i|~{ULAI|ruRZfwI_|U5EE{WJ z>IMC^oku@DZ&~2ufqlTVEYzb0-VX2MkzFjtUf6hdfOwSVV>!Wj9!1Imrd?c)FeC|+ zhW;2LlD0>OO=auwXS`5&V;#LQ4G^r;($z_DPeN0V7C4#O(G}w_+WluAkYY^A&*zbL zvMnlY>^|8NNmv1Bt9?d2MJ}cMuO3cIPdrR(>FJ`AEVGL#M_C;)O!ZUJ3x&QGdJpBP zaGx*od^Y27eh`g*2-D8DTisHid&-Wfb(O%xYe-~-Hp$u=z&Ohbn5At+lK zW9E;#7BiXx+cC1c9`d^LQj`ytw^_%V|I^5ULjqHbgoBWaK~hb%(^SX_#@h_jYU6;KtJQW=p>JQNxB(|NXg0ve%n)w%@L-XaGCn7C7 zYXHP*uW7w6SYA-oXW>YIHWhX-~;E4 z>0*LHCYj)EPvoo|^+|oXH}qnk?@Weq`Hk~MApzj+LCL);0n`$^QSM@8(I#4MyFGCR z&L~r1UW#s|soDV)-NY@7?8DfWAazdofoM6ZrEu6DmJE;Ez(p-dOcZWa@pG3-T&mg3 zL?T4S{-s5vpLdn%M;yCY3nDtf1k9+Q9eX47E!sZTC$j_8uqbiA7XY9EymMx!;Jic& zwwCtTuRXpbT4?aig!TrzZggl_Ma7l6&aVvcE5Q!pMiIRGy<1dB4Nwl!=}l4I`VK}c z^7Y%L3Ek81;Wr|yoBXW8MEWmJ3n@ach7-t?MT_MD$tjy6J**0;MRY=CBzSgH@Cw1==JHYbPX_RO}eFH!hlWGL&%5pNd@CuwJ3ksJ` zsL;;fT(8#7idNfQO3|Uzh@jfh)m!6+^@z*wxO2Mia`%i%Px<`lMn zs(SpS$O;zVNuWAc&8|egTcf8%2qR!ByYK`D@h1T{Y;f4CLH;0Bu|G}MxM}VKGePThO&K@bUdnGwAA41pzrK}{jwToF!g2rA8tX6wEcpQfJ+;X9w4NKlqM`}!}(+8 zBCwt7*F0*RuZ&{@+#&pg4zKNIcv|eody@ByPJ-X}7BJbGlZO}d#{QPE8q8HBHhe~=ZWS$>FKk(?FKh`DBooVcRT@G&;4OjTzO0_Zq794zl;!x|?|hto%qD znq%8Jub!pQyeR0@~H|D$m7fdE&NPOcy4NhJseV8-J&| zpn~(?=uhvY9)v3bqOP}|+LqR*4@D1r<>&6adQlGu@%OrhhUE4x^tMsVqG7T8AHz-AKm7DwmR$c(b5b%hkjjt7+A;iQh&ap81`Aimwbo>509JtC8)sf$ z-0jzQU8glBTWyw@fy)WiCMwn%lVgi#X>QR1xw~FAbAGqCT%n&T6WJ%es}nVXH0kbD z_2$DxoHEjbKl6Io#q8UNoDDB--`{-4P zmQ6&QXS)HfwfT6Y1?5p_>wAjH^JDZgnH+lG-I}m-}d zR#Ph(XG>9NTF=5jvzID&;@%6p9>4FL*GIxdK;6aYNLbjZWgC)3{6c$p*aH~?xO1r= zepXJ2^XmYLTLJK-9PnlZc)tCsst3+XM}*1lRsiD$Ih}_;@&<6rpyhV3TwMF5sJ%ff zpe=Cdmul?jDn#BPo=Ij=wrI#rhwtH6kF)ISa&om>U`amEY(%+(8jKBSea?cdvla)| zH+m2h*KRzS^ll*eH4#tOVL`OF%B{ijBvyaJqq+HF#zT-hq}?bqZT^?AkiXyr^6%`n zQ}Om}6>L}uO@Z9@JCNI+xqNL8PMTq9frSkFr131i#*>1u>0eacSRTX>H2t}?aLEca z+ELgLgZgW+z2Z`9{;Ql{W|}?DRdcH75{KUKF>+1#CK*6vlLLh3tz8Zlwt*8r3H=`Q>g^Ub%k5sUscHq_dtL zivH=o^c06Y#I+u}Nrm0nzKKH(Gml~chPnhBLshJ#JGrXC2Y+6>JhR(`?IYa^JdJq0 z*U(n4C_bEqG&G>dmeS9-9ujrwyLlEr|9#YBI?PBRWQ?~Xu*63B7>A-ELHbH1e;zWOJ;Vaf_yzrHqXcw<>{=5A-!zzSK{V}LX>-7%MB08ha>n6_(B(Ir>1^K&4RaE!H z;E<;62IH{pnL0SFwuDbNX5&tSS~k;VuQkrMBLp*sVI zkqIOpl)+lcM{Zvve{!?Tgt{yQh>S5S#sEZ82o>AZmtkmv;qrs+ZA;i>CJL7 zah3hNQ<%MtNjyy!%ZlLd_ixZt>bs07EivI~5$|%sW(GlVI3MqJb63}>*t8qt#mTdD z4pWEK<#@n3I*L5sSJ|M@_TWFPHqXG9r(7Y+^4&xQO~gz>Uz?RiZ5Oev@)_J~@J>m6kJKYVvrw_g{~c}evQO$!pOjS6NaE;@S{ z@rvIE*G@G?0#tz&@?%})LKN#s8utBrH~O8Qf;d*Efa=PM;a#Sd7sC8vkBdX2I)V3y^lXzt2j@a_p7=T3^1esn=n{oV0%O# zzBT^6F_dOZJtTtNKSvgHslrf6v`(JB=poFlk75w^nz8wn_H#Y7#JKdC%W--{h}OfT>7>T)Y6RQ?GlL-u~!zgmiRzuDxxCBbrMo28EAygmqPC>rOQ0 z$WDGpv+0l0#AP8Yb#(CF#Tt2$A=-nQlm02kSUKZ5APr*9oS#KT(cXG&k;kwG`w4EWX5^kkv3;Q_Qy-S5cR zZ&hImob}R+bOq2fkYeXeuRrY}9YD>12pOo22~x7Fr$r=MV27?~Hj82@q+o^dIuE0G zJkl;(=@qK~EujV+vX*{T&PJ~{(J2Gq z?D&}$s8_bI)?X9Sbu%RGntVbu+TLEcwSw4;p-7^GsawBE>`>a9Mr(`1@{>)%0JD4D>xuO3I7_8|mE;GwRrROc+Gze=gM_dCF9#x%6{Vo^e%h$*5gJ^ZQoO}qeeHamvRal zK6i}Od5Sfd&9Wgb7Wk)!&}?FTQqM6KZ5=kYq^e)4Cu$yy_Ui?tNTssbQYgW%vn%T3 zX1bGpj(_{Hu*-)Rf=lJjpd({8xU(_lsXs8o=jdCO*=+)WsvY%2*hG@Sa+wBvAy!p0 z_@Jl~HdGGE!xo;i8hqn4&`f&5$&m!mawAk#D))nqPDA^rX36;v4JLAlH>5x`-A)F` zm#-l}*bJZPE24|9TTmo?$pD^m2$nKf@;7;28_>izg-9t$$h;==C$ou+GO%+7>^X6TXtY*^1Y-D*2CKkZ82E1gVOln}7^5xTnwmme;0u zewDWnHk=!TdT8r1>~aXcx{}Vxe&zzL>MHH-CfQG$-jL7n({X(O=i^R`4KlEGJ=|ch zZHLKTcbS`As>Aoccb0!oGvu6$(bgAza8u=8t$wgMkly5eHf`QRRU!X**fcV*r^wm` z4}xr-qun)(=1tOmvwj7pp)6e0Xe>@ijm3)IYKB!d8CC6k4fIX4-)*=3(HB$>1as2 z>uC|e>aqng)k9GS;wmG$WMzZN!s2zoP8tAjCR+0BABLfi<`f~%$hL^YOpN2TYXH7c z7Zo>qhW>kZC~@*{ZdiIE7NBV^u@--xBC^YYCM@6d1(VffVNudz0Pyd}yrVFMLN`MJ z|JmM5)3BYen6Wo516yTwTu*7dBPY1eGvi%T0h5O0F!QB$wEW$G;7+#W0WfB(NRQ0> z@|pYF!@2rOKh|D_P3kz$CM3*W3!W|M0}$vZ=WYGhr>$@mOH=YGnyZ14;p&g+wjE@ zT=Isp!GYz=eN$64Q7f;12Ct8%L&{3e-PD;kjd-g4y@QyEkugO;d0@X&@zcAF3AzF% z&hkQ`m<^^%o-gXlKi{WwV3^H8!cGHEMchv;OPWN|$!bQP>Av0$$6OUs_J;FpRZP&* zCDy*aBPDuS!kls)Wdg`N6wL3jzrM0xM0rM{VLaO$Ced^IMKgQ-=nL$w)~mEqloxrX zmL+=)_hX22%2f$EsR^WOOp6xqSfN@(hXg>BJl1IcskSDlp#M*J`G(uW z?c=hxe%sjTl8}U1<-Uu5SBI~=*=gOpvD@-r9pHi7E0)rNYLI2g*Fc#c8m#S`nCdI2 zX|^nDH)CB8w}P2Q;5##~y2W8Ve1d&m(vx_ht2A;`n+dv@eUw}Y0tfr9Iyd{pw`HJqXD$NYAd zosMyih$lxZ+K6&8Y6P)(Vvb!X`9x@vyeGNe!B4ZY=QOnbct17=m}+p050t&O0`c9L ztwuh*#A#$tfqCxUlE1oExx7?wu)O{fBT6g4QW{JrSPnDjISFcQf% z#1?_{?3%And3ia=R^hz#+(|H?-J40|v*?~%cCORh$`x@eqc5PSfNB^yt1P#G=r`2| z`sQ0U;U_}IS=K1|5PiwBX@E^f+|UStr2fY(O6ASMP^-cJsEdcjzus0A7U_z{#RhU~ zJSeu(6R{GV4TJXpE)+PE9d5|#`ZkO^oW7Lg=G{8EN4@mpwe2t)Ep&lDGSVgy^ zh_d-7im9?*YF4$&Qk3X@wQI|&Z6zRlS-+2w+^3VJH;c$Iq0AOeXwV^>2<}avN#;(e zc81%^lLg0W_${+_S$9~0szldtq;B$NKBmz#$=DDDBxb-KW=+6`_*}WoMPP z9!I+*-h^+x%P?sI z@nE33X0!9x@b4|4EMaG9)KRwBIBGIYy{+@eK^d_MN#zKG2Owo99TH4}6 z6R0>B%l8~Evi(8PvB>a?+<17-K`h6em3^*OO_~VdA?_6$mnR#v#!Vc?Ij?+A=w|1% zFST;{T%J6Uyjp3Q&6Ae#<~W=Wx2;cA)9xP$Z~HA1W*u0}>LjEMp#hu_Tksgq8(Ec#Fm8)Hz3qHHe|2K4^c z-m>AC9Ld|&bj_@%>K5B3(D=jRY2v7y7ooZ_p)b0)DZDdiV4Gbx{d4o={Q?&~98Y|a zwp(+kr|8_=KqxK05*{>ojgT&xd)HHR?I^@Soask?d_17%t3vrv%M#854!u0#_mW;y(v0*b3u{&+9!h#5KLquKbu*RD^wBLB9 zZr`5VO*)xi8flT`YYBvDZKq=_Er(X^B5D2<%YRt+I}zp~!(Nq8>FTu^+hnutEsU3!k1iHtksqu;b!<^AgVg zAgSrmE;V2M-58Z3t)$u~Dw!isU(nD8&|Bn0KI(j+wQ4zEfOPu761*CGq961SgHRP)`8P=0Q zVd7X-70XFLr_pvaj5~H;kf9#6%YFM4KUOiR2s5gdoLItOC1Xj3=Vl*no*4fa_B*6& z!kmJd>ux}c&saqajU{u6)WQ{@YUa;)^K3h>Ky{dI=ZR1dzj#EERVnJpBWB_WFWL$O znrl-q%qf@hHLw~VVTh-x7=;ezvT=cjF=e5>Vr$Dmf1m#n;>`Svw=iG-7y|V^v2G&N z`Kx95x~Tcn@Z+=HyejK(={)`O z_d-b{pa?5M#5UA5qJEn^Q?0CDhdQ>-gbv3=1JM}+i|rB1Uq-1a`()YAZl_i8Q8(&(`AJl(=R4tgNr8ZUIS$Xck!TBe%qnu6|c-MlftE|i+4hT`Rn^o-G1l>{m z@RZa6gba$<`ljo?H_)VnD_YaTub!0&+*)2818cR_W<>!kKkuuxTn__^qb0vp*`Rge zpy+?l0Tmu)JBD|Q89n&%=knJKbJF-h zVJdGcjJmzPW1y*ohS}KB%^PO^2*0%3wAJLX4a^Zs3NW;4E$T>q{a#040~iVDzNuP* zfv~$Mxhu+rn5Sc0};vH5qaeQ-bg-Sk!C@f zf_kzQpxg)pnEqV*xnK5TVb=gnWLDet`B!{uHRM!B^{)=7sZZ9ik-^SDdunqfYDd_1 z=$My$rn-sgnE@bpi~4dCZow)zzn3>=EoP-#hN_Cln{qnC|E0uTCs$c06#n z>%;*qcmkQ9bxbsnr$GlRZk{GfMx-sehzQ{`HXcy6|0S=aB=YBzha^|%t>sCJBNBWw z0LLhgzWhsQ8MXqt!RTwRYFn9pvez;v&yxHk`D))tJ4fA*)684Gy*xe0U)hY_>2X3U zr@g&-Muo-oR;AE z05a^WKwRp3@~2=Lz*6p^oYQ%6Cx-vK5BQgw);Xh_q(2R1PZ2v^qgS8UqozjMVupvT zY`jX^)6Qg-B%N8}md#Ilieie8b{a&l&}Q3nUXaUX2-YW)mivm(1gPl4$Hv(6iZe-E zeO%ktqx1)MZnD|tbTHV7A63oC#7}-zEF04wo^`r$o7Qgke%Up}fM;oAQuk>uq(&X2 z*sPx<7IzcX#a&MP5Fu95eMuEDGn84h#9c`Ja$h3Oxx*!{eO7LdnzRuSjd9svi4Y+e ztqxJO)JLGmahtKCF_UQikl-rwi;8-zUpdtvG!f{tbemxL1RwveEmBm*aug_@y z2}AxQkax28TI0K#Oh7S8Ud!*r{+rr%1#xZVPAao6KpW2r)&mA1^g#Hba*sUy74BtL z7FRShB3F1J2jENXe>7cRW{X`+>R6H@0gKQqROrlLJ*V#}u!l+{&G z^lncy!_ylmJbHI~mCpjeTAq4|rk>=!I{s6>K0kHSK^3x{NCS$NtFNY%Witnjz!)QA zK=IxM>RSKVnvJJkNj=wJYHDB`^F!YsUpFUgg~J6Mse<=Fak~rZlgT029$R+_2gbMC zv4V*3xGX;}vdw{Fvh4xgBoFe<)$9hvn=1`GHx2`BSfAlnj!F2>cAu{O@=VyDSX+$l zYV)7f@g@Yu7{V6rHG2V5J10j>peHU^T)C<8W&O4T-d0U>{Gg^c<&?LML+cwi-+HsE z{+N_{&(L$aMFUDzbFfUC&5A1J)HystoU_U|qK>)AjX>1g#^gIM5K-J^Fak1`6H~X;z047v{j6ix(KzKs%X}1kqiB;u{>omwe zHutTMk-%$jc2(8|87^~wFb&qQ$k771^2hfYdV@O)5I_q|Ptyu>iRMLmf*hP}P6&z( z`0@J`eugn05c^@3_0mqpb&2Z>NsIH6=?Gtb7c)B@g}I&REdDGOsNl5JFz{FEA~FP` zrm$Zr7};oS5%qkzz#kg41+)k|BRGFfg8a40&FN3i=>G-1f$9b{owaZ4(%D*y1HWS-x?NN?*1Wp$eM~fE zagSEd$`vyeu-tu0S(;l$=AZC;uffG4})L^)o;JIT4i{KV|9< zsLVA~oIigzp1=u#zus?0%RS~1#wvAyk4n1XuXa}mqKzS1_jOU;WO@3aUmvIrnBgH^0q;d`$C>2za}IP>4F{nwtl z<)Nl@@`vL)Q(iwA`&9hi?bqVG`u2?5gIw6@p2{9TX^>eHy4)tnX#>yzwz1Oe-|pDX zHLmsnCdl~P1k(dY!F!D~kMDec1^i*JAPTUGl(a77gHA01)A>qQF8{egC8ZzEI~cxp1xKR)TCb)9oOZv;ws z9d>)04ScGhx8_g_C+G4`wrc}htb%Lm4b@Lz_a6oC% z{9cR$V%;zF(3Z2pO*D=QJw%|?rj2xvUKE&Lt1AnwlOfbs77x6H-~?8Xwtk+ z3PfIC>rt+hRNj;TDahZBIZReu^mTv0z zo6M1K;b%A76Ll(-EWTzH9F5Xka${!2zt{e%gs^N@PSn z$muvR5t(B5f3^4CQB9^@-zW~x!1Im>Q*4NUQ&f;927yrRil8VcNR5gRkS1LSAv%mY z0}7**(7^(zlt@dYB{s-FAOQk|B#@{OVt^1KkdTBV=ZZ7)J@5Ox>#TFmcgnZUTJlF0 zEBBqd>}&UH@8AB3RG5FS0>iw#g;EuEe70jb_F-}v_KOEb*NR}6O$Y6#p%$!?s-%ru zO1pZp_B_G5(XH)q=polNXNw8txTF@t?5gF&iKx>zTTVo8P0yNSpP6qq^Oox7%~8JT zN^8~!MOL9otwg8x6EP!h(cY-$@bMi(xmDNwd5~~ljTAl!t#j&fI$B@IM@)S%KYXmy zD69y_bdXiq(3@CD!WJ0ct9B`Q`(W0A8rim*?Bp3{C`-_R>QB+=i4xr3j*zGtQ>3DRuJQ`MhwkIaM46`h* zUM=A{kXsV=M%NIyCrPb7Qvb3gUm724M%XknD^EalE{}hhd=Brjtd~2EE0R9Em3Dri z7P|Kzq(a{(gMk{kfrFvtPQnF5InJuB|ye-n?hm&J19m;v8S!ZmOE0l`2sQl7{sECI;b*0vk3}QaM zHGyl`J?|Cbv^LJD<3?W|jeIs{`PirsXZ>~9L>jlbYJZ&YxSl#Cf8B^?r&;g; z*Z^Lt$5J3Iv!lFJl-YB*A-?s&KlXDGO=SLjWSd-naA0|5uX_zDs-O5IsP$qQ13Dm) zXuWmNP`i3>9eCx~8*d&W^G6f3F1l*8-DrFnjM6BnOCPCMZpi zBUn+yZJ2?`it(poAyiqUGA=vnu$xTE%ntKe*j*4`qTb0IiF+c_#YJPL&gC26q^%PQ z$$Fu++&muXUdoL?QA+E%QL-Zp@phA9EIKT;zO$OQk|4Rw0DY)27z=Na_@s~xfRWPs zzcztO{dPaf^^Y7ZO3Sy=-+t7r?#6%`sqo%|`w2+s1Su0g6`evgah) zK9cxg4pLJ+d2Sfi*0JbL+p0gw#H@3GSq4`Q{(GH|s zKBh=n;5PnH$#0rF7foZg<3TfB#qonRB~Nrd_-URv5w`0`J5m;Q$wPa1$fwq-IzgUZ zQ)29aLOGIbzREJEHrvhs7qBi;eJoIuE#GYsBAlD>f)r=9@r?JTrZPc%7ySr`Kwui z8@*ZXO(I%mP;QoMa$;(}{;Zi3bCGaM#?S-}*6W_cR^eV%ihQZ(3A1J{cZR>po9FcH z1NH&_{ap`JF}RFzm%;{nHdn7Rz-9QDnD6CFUV4NtOY1}{g2lQowqfJd7*3(2UX3WZ zUSC3e&3&XAlPQ%#E6lA3qwF>Cp7U+ov3LWD=;c|-`I@*=`IeuObf4j(9>$fYG+VGq z+Zqms_3VBg?~G>fZ^k`YN_xml9umW0AI`yX^10PiS;G8J!Q6|uU_bJm?>|Ze+QxS z;LM5o`7n1ee|{9;V$|Ge%ZEUbo5Iz5=FjLEEhX(^Il&^&kJ(){(mRx>dkt$cam2&o zn?zGKNy=DzOWIM%IW)9+_4d4Y+v5o4a^xJ-`onRC=0$z=rrJq4=iq6D!dGKVU$D1E z0HaznG&$>9kYR!NxC+>1BQ5eQv5F%0kS32Vi~V;wM!SysrHr>l5Q0hroQf~vM|pC) zqo3oQvwZX4-j+Y`M?i>ru^bwyXcz9b2caWN8$a zs{cNCYp+h)3<<0C>lP|w)Q4R@${!{@$Pc@-KN$UuXG56?Jk|+;0E0}CsMW{4VB;f{ z8e^pb9JaFqPksp_Nw-ive0S3FqbK4S#MebmlkXj^P)E|wpea9*hz;z zNgu;OGc;3gOiPN;7W5X4Dm4Uv#?&lOHnw*fk?&D?Z z7MZ_7A+>)I$2}q!EkP9Fbta)DN`A@W*12nqYU2rew0x|GY=ai78r(OnHL|C30g z!ta%4#~dXSF=^HTHOdULMY zd;W;Ph~Srp8+U5_;z+r%S(`$64AUP@@n5IG%hsptKixO?{a-&)1sea8Zn(-<7hU}y zU=}}gR@ZumT|)Qje)HEKy~POrH~Pe`+p$Of2BLWN|EI6}09IMr5;f@1A&tmh1&cu+ zzw&zB53lWl37b@i9*yDjNKW7R1a4{4DC*~TU9B*C4a9?z>+ir)st&`!|DCyUFsOQa z@h1vgq8x&%BaFHDSdBznsv`4`oSa7Gx^KU^+iBCQJLU=%=Ruye>+bHYe>LW6I9_0$yZWzZVUjj5Ze&?d)L*$T><3Gi@YMbRW7$?|+|z;D88 zWlZg%LpNc$kaZwL(mTf2d;Ly1;ICI;xbdbbq8v|=V-GZ%)lH5`JKFa=uTy3@7EVrH z?k!CDW+2d^)?tt6EO}|nljC+eBcV3wV?LxSW~@iP3xz@CuX#9kyu?|a9kl(2J*y8& zo|v?!oEPBNRXCk9X4S-oL=V$i*|B8YI&EPE2JT_Lp{-WCv0Iq+$xA4I)TiiJF zZ%yH%++AN~2HY>X`))ngT{(H~w_mjgM)0rf>$i=G|M)S<|HSTJ6xW@v03eY70XI#^ zWgop;Q4;0?eF zC!$Mtc@4&!V@qTKRbp;ZmCpu_8>8nz-%J~9nMTr1=F3M=I+;PgqoQQBZCc&-*(WB& ztxrnAWE0WsTknPB?-0}BW`%a-TUkimx7d_?0cT@-Rb)J#SQS^-dT8!yXPTD1b_%nh zpI1e45>xG+&6Knpfn8=K*2C%p^g^z*$8fIoyMN?{vTg&>TYq81@HK?Uk17{O*)? zK8(KanK4rSu=HgmC5|xX5Gwm!whP{dX9;Bk$bo>`2TXx)&r%d~W>tUU{=L{8^o8~@ z->Bhuldl*W6h~qOPmtfeU@9*u;*zLam{HQwDBpT)HlOq;Su}y0qT4R>t>qKVL7n}A zm^Oa;xr5dy_9@RFO0Ca}Y(MC7x^eN3*LK+l z=?g5nm>~cdffN@zt{pmjM7buY?wIY;&pX>+T-^itgH*V`08c4TSwmg!9L{=K?|-L7 zyw&8JZ|F?G>q_;Ogx!NybsR(d3H9vUQPi-3k4!UZ(s1=KL*vJzqoZf_;)l6mQuGz! zQg>T%^ujEL7a{<}2}-E2iGF6N4256exm(g>$ySw|@%hA)xgaV| z)}J6xrUve?EOg1j<+A%hzVgk@hKr1b2wxbz z&370@V`?re2QgB|+c#);S=;AR7&OZlk$LryCx-1#O0w~EI8wloF?`6m=pS5&*ja8M zS94J8w6XjIcOhal!I`lv?o6D(U?~-skn%ynn#nJ3Rfz-JU)}#Ru=M$Onz1g(VlaVIZ|O%dN*U+_G+FXW*N1#k=m}ctB6K(_?mv-)!5^)&KE_a>_}yA zmChyBylk*p=dgw%J4xe~0_Y`svRI!7^)8~wroXFkp)d9e6YXun(`k&Qd^S3Z*Ut^_ zNojlBToU#Hn$}Nn4d~67wi$^$&-UtGPf9R>e$^60lZa2FUp;VbIIR%-$o90i)z!M{ z4h_Ud<(97PY8~Y`&Ygot>T!xc2s%p3FWl;evq@a)LaPn4Q0&VNVaxoS$;jNJe5w8U z2wgSt-U9QCl4&tLP4CQPV!nQug;557FNMmNtFqpoRnC@y{hVI!m3zmzlNtIir;4Q?_$hpi+N81l>%AdMb}zB`HrOR&foROk@U+ z67_!(g|ep4o5JtiTXX$h$OlkOMm?pqUavekXn?ldA(#|bhq3Ajn@(_jN!xG{DZ(_X z%3x%q#$l-EW5b%N>+#{x(;jN;i4`Eq!n0V~2asjtZ|?($xd#>EZyzipwXXP`AU?dG zsGZ*-D5DT~Ez;)c0CRFn)-pDdaH&E2i%_%bPAr>HTe*w~U-Of-fRW zjLnL;CP;!~*8xwcr(3vLxVddSeC@5M^3!leHk?nf$k^0kI4Ke{3UHJDru0O)9P2h4 z>$H*Tks@DBoNZ89ZOhl~B|h{O%`1jstCP57g}E|=Z}(6B;A-|e(VAma=l8SBIV_%` zR+W%~OD0u|v4#nJV)dnMU2j_;95)i2MN4M;zh8EXw!2k4&6gquD@(%42yq{o4rBei zSjCR?>Jk^<<9Uy4>zAF;8!UsVjo9T}?Rmf9G@2}+AilPSxwyA$k0Z(k5S@>z9;VzP z^{_PFo;wiyti1fx3tRzk+Fi_X05b-ZxA zxu9usB_8G;_U=?{YNo`le)Pk5TJrV5DMjTTUV?VJj zRdyGcw<*ZHi%@W=2Unm#1X>U@_0y^PPk~4Y{D^AL6^Ie1 z&XtKicGekD(kW+Bp+50h0!tJfKC?BKh7OmOwCR8_oxnLqLt7M%3L^KK`N?FD5k12T zDOC1Zv-a_r)J8I2Y|3uC!bj%2g%_TAd_s_lIWdH9HuYwQ%tlQS%9+mX0m+y<91`jl zLS$3dw0wafzv}E#uHG%Z*31<*Ir6>jmlC({M|?AIm!&C`n`|vBiQQ3+O_keP=?v(l zi$DfRvGYlZu}}TZ;BprrhOYGdzm=-cHXZ@94{MU7X+3W3fJ+%qR~hd>1Kf?idX?%W;#X zP3P*5mWj^-LdIw@6oEY{`oG&$!qe4F-FlO(j3o$65Nl0TjRN0ZmI-wvRz=E^Q{){H z6L+R1TZm8MWP3}wXSsOVG|$1bh1Xe@eu5kGZqH`fx(2MA2v;ErJB3h!>#rC{yjy&rRd=~-dnCrWN1Qz)~1v4!Hj|059_s*IWU>TXRh(|Kf z@wK<^#a8(JHW*ubJb%^&Q+Zf^PP7=9$XVsN^eoJX@LLWaXA>*RZ;XF^?MjRB%Mr)yDVcp|B= zz`5z|tc&K}*Y{Q+spf{_yDZLD9Drsn6JpktdcD zuv+)16*w4sblB_JaBtqUyap6*L~p4T6H0ig&Kwsev^k+n#IX~bRSP&BD}VmFV8oqY1~sqYDLrN&^keE zNcJbcu;$Nr5%mlWkv})n&?sbS+-_MD+cUDZ|B24k;(P}^dF^GMtwF!AN*>NG&;Pb^=XT=L+L9igt+)-jW4oZ8zar@Q zv~EXpA3W|RH<6|a>twjK!_PqGt z1J)lJy^n(6JNv%`nvF?lNciX*^`rV5ik%e;W2tYi|A6GC8{XE`c6OMDof0hxbF4C~Ig9_kDO22 zE;(oAfrlcoe8}ThgT|E%TE6!4!y5NAr^#l{#7lo%a`*o$Z8F5py<@^?^3I2dS81p` z?dHQ8MR#uLd!=Oc4D^(#Hr&*tLFdqrB>mJYBsIinlg_UXQAvcAmrj`VyrObPfOEN` zE5nu87Y7Q9hT`0Ap3DVk_504=On_1yo|7d#p6ek)%I0$CU~Yj{sp@*yo@({PPP0Hs zT|1`T9OSPlL4)nA4c;A7+Z$Gpf=sV;L%eekOQrIdk2*ks0Dn!jfssAEPwR6(Xb-D5;5JRzR&UT>OY z?!P&_JL`@;relvaD>aTZs~1ghj4HSMvEFg@V}WwohB)rs@xwG>xvpW=6_(*ghVC3S z^ZB-TzSG7!k}=#kKmBiyA*4T#391e3v^$b*pnp_9;Y{j$TzRIrgX_4EkL%bDXhHi6 z`O|??U>TGFP}zcK=gdIPORZv8dSgl0dWZ?=&^@>EPKUVHdG*40kw&QA5P6yw3#Ar_ zu{}9KbkKrCRn7}8z7i;++>)i#pm%=kEj8KBPNOhH znsa@p5+618>^}E+p-weHJ#g_J`VFL9(zj9!`UbCp2h_6w-A?~PH$@B{-n7AcXewdJ zi;M+43es@F19_0vtF89yYV*_NvzD?v%TEN{TU`~rJ`UJhtm75Y%#ZBwYj=$L)f!aK1!Js@m$1s|5ed+q}7nqb923GnenbN ziDzO~&x;(_ygU={Pp!>Y>7>Aopzi>sE92u}pSqL3J8AoUcb2|h9G7f%59PG*=DSJH za_JcrvVcV#XmnT)YHW8gkNEt_Y8t`NrVGn6&lM|^K`#L(QHRclzw#{K;;9fQ@3e+} zYukPRre3x){_0!7Fx=6k8!UJC z3R}T15cR>k&l*Zkjqka9=JfkFwHoC*IUO`T}*b6E9W^yQXQbgZbwK{0nbym}G zYdG1_X5KjY*cI8^wg@%zAu~SLT_)MC?w%IthR-vG$?s+6ClO>5hZh<{`iq7nar3R* zvgeZN;>m)btl!eL?H)hx;_<*jcdT+OvNJ94wkklJAr9kTk|eW<+*P(A2b0x`?9Dv~ z#x=a@vpUtjsv=xq)oK^)Ov-(oVbE5QA+d?NeHLD(OJ#q&S+H^obuJe&Sq_+E zp&GS?M39a=Pw2Uq#s5zfZZ3!I`8ah;InC{!V&(uk-?_MB)9zp)ck1G_HvzPVUwP}_ z*D;@f$=rnhc%#eCNjjLl5$BX=Ml(=hD4)vPf0i6^uHAY*68|cgTJ>BEs`;@b3yZIc zo}iY!Efr7P&FU)(7r7{dOqLk`oU= z9-8ouMIbXcz*mP)=cxKd$g@%j1!XXMyuKtn`>)mC1s}a_XqePjyh*Q~fM512974tY zN7LK4=|PL-t1b&}g)#2Q$K8%QTgaz&PS*Q0UG&^CHqmhLuz%dE|FE2lR$6ygCj%Je z9UL&_!^*2t!obn~C12FEw4N9D%Jp*y-`azPH&hg3ij0dbs$)z%%|kx*1+m9+mBq?b zk{RyJ^O(u^lZMKx4fQI(fUeiqNu$)Q|AV4^s7bvb-u+wM2}(IThPWz;p_C?xIc-xp!hT2{QOR?olnJCdD64`aM>0Ao_#jOFU0 z#7PYwmNC(Euap1ArmktDeF&DY>_KP`yEoTR;b#pyIq6lE+T~WJ3=pJvm!wH~he2a% zamU;O(a;bjr=j#ep<3K?H8&1$2c;n@lcRAK3gP=uG73SrZ68uX3ZiqJHsNk>{$^Hq z)=JN2BhG#T8Xairyfjd7SHr(GzNc{MC~CcT$IRIn6@5EngU2o5C;MDcWviN~Q@IeR zC(xY*LU-kGL#OCv0$t7jkspInE)u$G52;~lZ|sXQhw`Uzd2(KlhwINGQfxo zQy9JjUe+=(OrTU+i6s`gxm{d}f#s*XNd*!KT)2jMzZ0eRa=d@PP zpQj|$DkPLl%pYW&HJEYYypl8nTnBb9=7mZ#hBcL68%@!w%63;T*kb5(q)s zY4TP8bYO--AO6$WoXUex6;e#l5VdU7^Xb&jAq;S1S8YeDC?`S3IYP*Z@s`VH{pEL} z-z)*d#rMnIsX5egH1gfrhUp>KpwnBLInjxiYpb8vg|U(L*ngLSA<*b5Z_RrG4W|Kg zxcqj|y`q8*w1fSNUvdnm>^ZuW55{M=bdj3s*}jru8}{&zKcJr(aQQmQB^64K;TN@`UQ;@@=?%|Gr0#XAf& z<5|87e;lz5w`VVRkpu?vAm@S>Zo?g3dxrsQpU$e-1<#i+Ra?r|MTZ*0w-m0b1Ogz$ zG$al`K8Jk&Tf^>kLyI zsmcDK^KS-hmCd(LJ_ZCttGqgPnyhORVWsOmK%tCu0ZU?B9aGt_1m?NhByb_)D$fl2kJYuma$SY08jFEqH^vzH<(sYNMSB~w2d{X;Wg#~-QmpdqMsP>f|)f?EW zA>*AF4--WUO!Tl(wjLwr+2izmI8UCg6-d?cZSpFm^870 zRvvr2FRefP;-cZ|{?mU6SQMMGwZ)h zx+*Mj&>Lc}k*vYD`uBJfRPF}^?xa}ACIVXn1JK7nXBIdj5*HHa62HPlzNKd5pd0=v zI@NFJsIzqN{r4{=8>?4G#wf`7xJ>Tgl*uJkNjISC>PNQ!&=iO|RNXJZOe4};BX|*} zNcX(Y;6iEo|9>;~T7ENLpTsoZnp@9%RAT|Iofn_v0M@6mcpQBxJjCvGj&li zoaN4SeH&Mqgsu_x%8~JSg`~lp-8;<5C_M6?WUrTONtdX6YvIL3b)?F(!n{cXZ9#rO zp-Z*V+Z4e5-CKDuA!zg~;Dk`FmSZ;lEW-y0n`eq}tSVFg6mt$?8+K=&4iYT;c=p!>N% z{%TYADy?IO3L+`yby#(mzAHN4X%%PsU-@OOYzp&=jI#@f?b+T%3s(YYre9y{I6GuH zipDPbrqwya&=Y=OtAgquY8BAy;fuHGEv`CHEqR(-_WqG2%++Ve=zy{r1-sP$cc95)5`UiAJuO4049BRsxiFC<3GiQ_jC52CO11&SJu{srtCOD0Og9z z+lj3uPomp7g^&|9eJN}U)t#+8!T#OfAp{+|Mgt|x<{L(7sgh#91C-I z?kx;NQ$GEy=|TWGB9$NRr$K|u7t$)zuiO=_&OMQ}l-NT*r5v=L##Ysb^E?uj9zOS} zXWnYnmOL?LrU@ND*XbipMwzcmb5Po+H`g2G^fe|C+Jml{H9~xZ(>Ca`pgr+>Hj_Zm ze*WraaCGXmj)i_`rj`{11cs%h#OBuz&|~|*I-g# z>&pAgpf^OPjX1)>ol5oSyHPz9)1pPZxXXoTpeG)W1Dgcf|Nen{3KX*042E~evY&sx zGMJtA(~w{lpv`3RsMSO;FJ~71?ZLuN0Yyfv#6Dl zyMWJcRWEvK14nD$o?$Q&YNwmgw@mCvHE;nB-T)WTZRGS}BO5sChQIb}8l0PY2~rtY zi*u(?-vHeGuYd~fIb{aNX6ey9`>YmU%m!A2*_7A52lx41Yb18M2pabupRVmO0EPg4 zT~)H?*v-pOp$bLNg)NWji)w3m(pr%`*R3}j2Szid=c(@Zl;eg47NNi)IrjGIQnme8 zMJHhL%gFjt;n+~6!5;9ihyvAly&SjK013%;ZBc1!r!g$1iQ_0R&Zp?;roCq&W-;LT zL2--5Ho9JKq3I?o5=%ax9~<(5QclO38C;by{YD!kk8)-#zKtZ8R~K zn}=c}Gc`dDBa4GBN$^4fc0Qj3(2RaUctV?^CfbIW#TlCa044V2HHXj_LtcJ=>rEYw z{pq%m2qJ?`*gE^+>130sGe15_U$brmMF3t&T5U?3xmo( zsX{G|()nlF)SK^S&u~D+gLX8VmYY9Q97*Laf%4#3vw!z zTqCu8O29DpI$KNVcqGDqwNsFgYXKH8erEXULau6c zgW4Tu;IAR2BRnzGPWr4FBkTShdU(yX-oLKZvxqaxOH21;md7pPApJ#qYw%M!Fe4+l zM)n2RCvVEk*gF@}?t`AxQhWWIYE7A>!dj;K&&;(&lA{Jbupd0hb539&4cwcgD^(?} z0H;UT=0bd;zwEzB!&{rn-t1%;d{J9MM}j#!S+UbSfIw=1F$<#Jxe?!`z4u?)Og>R~xxxFl~ocm*dU7OwJT>!(ig9>(R0fKCUs|7@l!G zkQyuBdT7((L&8`PbZyy(CHtjio>*`y8pVOVJDCr8I6IltDA8Z?II@@R1bHEkQ1%r? zzvdak8ChX6r=`>oM`4S0Gc)@z9j_JY=SWI2sL>CbIKt%)wz0f8vyrA$VcKlD3&nw7 z9!ZZpp-*flafcpJ;+pCylK|K{fGPnIM@cWs(@Qy?xbzUGkT*{G4SZ69_yB0dde!A4pY@?!tjiJ4ROD-8lOt9)hF-v z(p#A?uCmcF)nkU1d3ksZYhKq+C*Z#->M*RcA8qyb3>%~SlBCKEiCyNe-7&LqrCoR{Gq!?zY3V{|2ig>alk{6W zT^q^I+JBDtq62N>ShPO97q1b0L$utYY{eV)tM}9f4UD;WZEH4EmGobxT@R5z{UtEz zk+nO`r<53wa{&fBWgG$IHp z{NwRy{VrD^347!e8QW0hUXRig9N0zK&tHOhtlC-j33_7*epn~Rbpt6wR@Y{ou0_IN z%x#!iHO!^mV}~OLCOV=)wFXv!-5;hD6Wk`p;`JUU);|nFsM9G?TrOk+WR!Z{${bpaf)_{j^c$ppe0g=5t%$5mA=>-q`yf}|@kSKuzmjkLB~SZI zxH^ISG6|)D;;Yll)#*-o7T#J{i^UHK=|fTKi_+9iL(<7$_1W(89r35|H8T1mW(A>u zr6^pkuKh5W9Jnsj&uq39Q*%jnBdvo{-?o*MMqoSP0_?@dS&0Eka{oNBwZ2?-TG~#< zN63=Tcr$NJ^W>|D?`IRqU%c4;KxNzjkZtsSM#^|h7ynrQm#!zxLy9oD#!UjetoxNk zT0?NF9zf|@I^MJI=|N}B3(NZhgsCn2Lyi;QwkP-oeLQDfmy9e`e`CrgUI@^bzadSt z#BLT@_gM2ww;Kz{UBf}+$ zk7_AHkMIIyX>kB6NQm1zl9eo`v^B8u#lFsPUpA@-J0omS%#TcmJ107laH*r6xd+vD zyQ%EjeSh+LZ_?J(E3OSg$53FNCdLG9*-wf}nbe#74S}iEd2@USa(?TJZME?8KCWp` zX7>>yS>)>o^qK%!tg(J(;^Vp+cp)RJvbQtLaG{nnM>4Kg<@VWEMDArJ^}suSm#8DbX1O8xpSB?r_1KvDAYqXe3PR^Qv9$hT|NUYr7B36I_Mh2~)LTN~!S#~UXR z6w5L6olb*-i#tdlo4ETUQd57pmHhtY3$0xN^(DZo3I&nLPY0it{NKbd7egYl^Ajtf~2(gp}UmA`uipaR=d<aBO4*y!0rnU3aB6)jBQOU;8pjK^*sfO@8yc=o(TSvb!aZ3oljwJxac zJ%EM;0A#^v$5w z-rYjwrh%{H`b(htuxLji@JBJ=^n;};|F)0Qm#*XVVYUuH5Ll>OXK-eYBqbcUmtO1<{vfkhmxJh7B>3=2)_yguEnti6(|4vZ-nKeGM z#%I>}Y@JkFs{iLxai6uuXRYyBYkbxkpS1=Era^fq`25#C#b@RCSvh`Ij-Qp|XXW_6 zSUG-F;*up_9gv}&68~#-c&xnZ5mRlU8Uadep<(AyRWXK z_jTO0_T9@rt=s%jvkUAJuaD8F_*Ip#%CJ>G^#<&yZ#!JF#^^oR;r;ywvKlz5rgrQb zxEeUBruGP&2#%_$dA!lR29Bz!8Nb)s2abNe%xBts=9|yL@V`J&^tKaqAx%dohADM^ zJ5?&lwKKfL65>Zv>9X_2G2MN0+TW=(ROK6Rp1qq&edT`(@9Uf2txT|oRTPB zwL_L?chV+=iA_u=!pZT(>P`o~b#e6s>FsmdCcNq`_T94;em{CMvl_kc#Z{c+$&!ZU z6Dk7UdsCSG?BtX}=%K{PR#Ff&o@UY^LtBa1sa=`;*XES4zbvMIjjUvD|B z9-*W}lm#*{Iw-_6FF2Jj&o3rR#gRWA6N{*EhFG0_6U?J)CWFOih{W$XAID3%_QXdb zOHT|mt&@?b)x_dJxIkj{mqGc;<0XHP`ND zaoUH_hlj+`6U~$+Te1~~jwB!4H{*=|&iW)VWYhtlq_{=Xe{*j^7L}F2BKGZscgKXx zw4Dg3nQUNu*y7)s)+xy8uams#v&37?Y7|8k=&}+cKbg~?$PUsSUmTE;6uWozeVHSi zcKRlk;a0o(C>qyYxL{~$KtPKcGT-+N-xMH~%X!Xa4srO`VyyG6o>}V-?OQ^_iKHt8 zWJ%j1DZ+izt+WRHiOm1!kyspi#Y84&ct(a4ypxLRm-CVNvc^GrqS_CBk>7yEjW z@$+U}f|D`iyDjAKA75Ag^O?>%@OF#;TwoIm3(pN@LeLaW^Wm83MOm98xr7#&xt$yJ zIzhd^?m|_eN@RZe4WiRdA`E2z&}Epmr;2V{u+=7Yt}jmCnMZ{x0%Jl9UF>2)6#jO8 z>*3w7a+_3(IPMiWLjaq6#kVE^9++2V^8H@BLH-ggg9O=?XK!=NOGB@${^N+ia@nC8 zv-5qA)9wtQg1mf$ zBJ8-W^}`{)S}F=k7AH24y+lHqMUn z`j^7FPd=GTiDlD>`=6qx3-OcxzxE|>ViM@Bhfy3w)^wX=gR-5|3)b16klq1v()a79|MXBXt~2D57i$y|MUL_+CkGE diff --git a/docs/images/thunderbird-tbsync.png b/docs/images/thunderbird-tbsync.png deleted file mode 100644 index 0c8680360d92361f8e96891ae593ad8d1ba6fdb6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 22902 zcmce;cUY5O);1cufQX8shGqo>0a3aX1r-G`3KBw*{30SHgir)&0SiSzK&45I4GUX3os_otg8#XWnz2KfHvPXFq$dz1F?%)qHyWnwhvL zP!s?Fh+nyU!3qG_fB^tDx^Leq_(ZZ#79{vUYFe4(h~C}} z4ls9TY~=yGo?h?zYS|vX2Fa3^$v{j>ydDPu(*N*AsslIt)rv=e9Ak1Js%aw>eQ%w&> zhAo7zCXWC^XQ*K#lN{TbVCrnHJa2Bqf=>cTKo<%-c7)He`97nJuwOb+lsZ~!v<~mH zdeAg=s5sP+PB!MujUb83^yu=i+2e#TfOqqDjMx$-d|{}O!s+E}gpLgTMEwW}hp#*~ zp3NUgj^^KA=?G`dNFaIn&;wyBu6)Xfs{G0mI&Vmo9bd;43(GRV^BT)h_jEbmqPy2N z)E_^JRqI~3xfmnCYnK7HrxKUZJE-&b`L6O;?PX<_(;XBgu*NJXUjbwbkUQQmX=2EC zo{@E$k55oIKQ>5QbhUl#G1}t;f}X}^@_)T%=If?nfK18P{ZPPG+yx zabDcdr{jE(BI9USB|3Z-6%M^64^Z0&^MB*0gqrB!bREMIr%6Vm=!(*LN`<1*vf2LA zSSK!(Yi#tnbaBH^tKH!J=3)u{SnDlIo}{!?`#G+xZ(#5Iy1<5 zNZE;$;dAfvvxjEaW`awqvfoFNb?TU2E7|B3_eG8tT@*7DI<#LxM+bM%30JcfK%afz z&=TF$mToH^eywks$ifGIIRhmggxEv488d6-!txFL*a6!ee2#orArMT8+6miI-!Bqse0P4d4gGmP3Kz;IRq^UajoA`J?-g$N z+Rzn9voZb<7GNM1LEaRZ%yw194@!1Zc)$7MeAA!mVT?RFK8QO~hvaoFB3H$rS(}ro zJlQ$}BnYx0@Z@&PwjC#$@kzTJmN3XyZG(O{Dem$Du9G9 zZLA>6{!k}Axr_B1QwQ~2;WpZSrNmI+j5yLtJLMUl{iRWdsCr9Bv)*N>BV;J#C8hjV zTiAd(1T_PX?%3z-L!651)4wsN2icKxJIfqW8Sdp3M)96E&HFiT&v_%?`hViL_}Ye265|Q83^&>)*Q} zfN6^$=~=@@op{SUMI{;PuM4loj6o)wBw_n9V8h=_FI8RAUe&gTM7s1_-`rkwJc85F zVx3e*)x;X%#AhlFI3jrAefu0`2mgW_IK{d2+twS1o zks?(c_(6Gdw@=3^{fQ&u{E0xLaNm^#ZZ_SKt@lJ3 zWI&2aM&9j5&S%|mM*5|Jz|&|d4`GNObcIYOs13S;y6D!^#;oMrj-o+*>QcY$Gy43@ z&BsS1UiQF$$buCsh=A;}745$Q2MX89&=RkDGrRFI;fp#tIR_rJxPnK@?-!wtbAp?5 zhcAg>jy<Dnp{=0Ot~Rfv+S2rN7zc)rr7CmR}qm(29TQxYc!FAAWIhH_gnRD$doHqpOs5 z)F`u}h?e0hNG5JW*DkSvyodYvz*AyHn%K$kzh3a?LB{iTT6h5h-HW!N36#i2?%o%5 z1%UVaqHT0>7Y~RDPrF@4|6#}xi;V@v*?jS{B28ap0!xAu$zSgdUy@K!kLnr~i=u=g z%i?vo`Bk&YR443xPl4s|ei#Q=Za>N7XmMftJa35^Vh6Qsc-8tvvH%$iF1)^k1@m81 zP-q-^Ng#?V@mE(!{JLX;jf7wKgPg!^s26z^oxHX=U}KPyTW8*utg@jKvXX-92w#!l z&*%xh*WpetyEp)n6o6q`mMV78;o_>iXGD2IdslbqUlkWfQREp;`^*mhPkBz21QyAD zgT4u${cF1lz%_uVh~dmD&xE33ZlAoL#*3)zzgf5FP^T3-eg=IoY|J*yf5kL>3eycV zIPhonzVN&L3ihWQkEmje7V|-*a0i|b=(^Va{a}Fi-H7BO1FYk9ZV7*|PPc|VQ>(5f z!Vmo+&tr`cI#7945=_p9pXs~7O?M!c=NHkTl#FO9KM1-fH7cCf0p-7f<}yvsh65`8 zEOY{U=X&KBlttowp8W(}!H2h@E{*YgT1)d(gsa@LgbWQ08H&~|FNY1!PJqJiu4Hzs zrbfxHjmW2^R)_OB9eh*2>y_by^46iB_8TO6N&rAV+Gf_uU=>@Z?>L36j>Rsw*z%+s zXV@ry%PbKc6h7CF;s2^TTf^tdKfAF{@Ur2hCA5;je9hMYU{zPW8yrwIFd&3(R=fx_V&bS`ag7+Ux%E z*?4rxh?o~{m8kINg|?Q7g(0I(wvg2fo#9ZicYwoKx%^YO*r2X^px@W_fy0dZDt>V( zK=25$S7KYG!O}DC`IBeUdTon~95z=({n><*qylsL$=#qhSn_bvNR-a@-3^mJ(i&d7 z^-kNzgf!qNyPcLLFb7_*YDlmXBa?xD%~dQ*oGQS5_6vScf8@_57!99$cO?KPiP;y^?^B);hwSXR+npjg*hxwn5Ak%)VO7-S9 zwsdqQa|uyHk0XjmniTw7nWmohL268)Cizg2U==4{_gkuFV&5kKJQ5 zi^%jqm)=~R4myj<3axR_$qn8FhVMZtRr2jOooLD*^tOjs4#@Uh_m*q3BvwqfYu2SS z8BtYyc%G4Q#$kv;y}1g9H$|Cd0XP@-wV7BB@!nD+yo5c3iJSY1x0(TM`g3y&oxY6` zXa>l9BjS+qihBle*%PZXq}L@s08y zle$yKVroIx@drD;fl76hX{WWD5bhfYL-VMi6 z_v_fzRMM8hGF5cm4j<}K)xq67h%TGqM1AbB)HAD8JMaJLnl!jSY+Q$80GCuz2c7i>)`RA|c8f%a<@&?TaFI-`?-#RXc23JzL z*XNeaJ9Vs~jkd`8Bf33aU++Cztcv4=U3~YdVRF|b==!aXEvS;)s@PJ75js>i*PR@124`cZF&RaBOvj1@J8O|0Z=n_%*5>f!VYe~t$FeBDYh{-{EcobolJ z{2s4gtnr)3(E^|5#YF#kY1h)Z43}$l8%oB^U#WM_<0y#tQ8sMIoHrPUG0CDk#GzdH zVMZU9d(#gD-acC=Kc>5idOftiznI`>zEbHl>>6t?Z^uxl3oSKup;-ay0L?L!&-UO7*?ArD9(fLB@9*S3CQdPXR z)baOpzi;g%w6hdMpm$HkVEVGoIqoBeE&c4%ti9Tw1brXqoskB6v2WM47|tyFb>cmC zBpz)vuTDKF1TV#rw>Zm`8yb}tb%VS*yA|kru01>phV<+Ow|8T=R3a+uelaGF?W8Lq zGG{&v=2=(kvHVUp`ddxg9<-1H&z~+Qa>Zk`*D{+MP1=(u`sL-p4lR{4Nq%1wxbIN8H0$>*;9xMyq7DTln=JgkKe2)H!3?RYiz7pJ6kKu&@ycHc1u? z|6~f;;BR!Z^wb}(a0JUib?-KcAV&sf!u)jxr>B<(UglUw+C0T?%q$Bzc}Rf%q=VoD z%oRy+{lQAby!c(Z{*YC!7I*Y2WT@2{C4I_(rNdF!M^#HoX)b0(jF($btulx2DlH%V zEbZ!q%={HC8EJDcI2nX+ z9Q6jpVTW$~<}F}H`gafhE3sbX{e>`o3KqHV^S z+S-34>vbUIsUyX-w2nN4e+OxR6Lr$0so7HthEp+kdf5;Lz%fMKJGfIYTVl9J21rJv|~3>AsO& zH`rQM3GKZKy1Nxd#!HZI9Ny*_6PQr2IcDK6*jPvcS3Odw3XvI*v5U)z<|ifEZfTF4 zI!wT)hcSF`$&%V$si0mTR>=rHRe5sIl!-~y z)3sw#WyVlQ&deG_=&sdspQhbVxVatwG~+AbdT;Q?bf^7EG}V#46|~aG^9aXSU*lxN zXxF=A$c9pd_MYAcq{DT5g)i#J`C5a>o;eu7d^lEO*Ug>(o9%w#45Ys<*!I)?=>Ibh zLT7Y@u2?pn(a~u z4$HT`ofpWmM;#e3fouTuM|NOuD~*keP{%{Y`$p`TA}z>whCT#AkPl#v%0oVvvtOPQ zMN%sj6`9Q{o6`ar-;LcXXJe4;Hqfn!fd?agh0j=0BdoO^*V`Kexh)Eu2d@uaxyn~V zM=nJdHK84{GRL`A)Hh(ZuF4A9641x z)w}P{7jVb1#Q@f)!y6Su_Q-qob;V2l&QtszB-cHBLdRIoW;mr939&(A`*#T_e(g(qx>0%XQlCa?Oh>%Q zZ-e=%l3=Bwv)Izbe!-L8wVn8w!=u9iUA)(a4T35u$#v}vQH=SiRs6{WZoI~!Rd~IY zAyliDYe@unyBFhQ&}MOMS5arx1j@9~wGaHx9lFXJ9f+HUzbmNQe6R2bcG@dC>nwd5 zm#u&WIF=v5%3!EXyd$gZ92fvA;A-ut}`iUtplGpcgYSou^%kekJ2&1mw1 znS3*m76x3p6|aL$l?f01cnk}`3LW|W&khf|if8Y=R1^DD#Cm^Z)5X5L{f&8A*q4e% z`GITJO|J`V4YvV42sJ%V8Fb^~0W2!TX8IlQ^q0go)&8 z;m{wWP`s^l9CrArH)})pUT`vCfi(+xvw3{97wAau_~+ zwnKm=_5i(Q5zIwhQqLS9@S{+Cu>{3Kitq)VpVHWT_Qb^1sXXALF!_QJ{AuE7KBEHf zJNZczu;I^Af2ac!fnO-7n_!+fXwp?&GZOv$GWzpqaop@>rSrNoW_D!`mdi@KDoXW>bB?c=`P`{ehj0VV;w0(<;tQ zn164=NU`xThAcu<#ib_S`&z`l*?YoA`~{I)yB2e{j-=yah`lzp0Mm+^4pcoyo_>I{LLd{nYdAQPNqvid1!1cV_ zLYRCr>&BofD`mKa$2GcrU14A^>0T2ByhK>-q3s3VKl~T@P(MUb#x(wfMD6jKF8^fj zo9#Dhw|2S4CKfqGw^WW(j!~(hLv&|cw^(3Zr z;N;EzTlQvl9*pX!x%sG{NvitUj z_lpvg_k+}mtMQ<|o`go!wR}f7Kuj1neA3YDPCG#9jD} zRck%YP=Y08;-tW$b#Vq>J20W&%*dxVKi7^r!cnHnH@J)7Pit;)6Ye&@CGlzJRq}%q zrIE=!ocTi@J26qH{Nku=9p7-yDxG!UOdZFF|eB*oiP2Y7={Zd z8elH;n-QHdlB>v(j5teVJNakY66HWVK_N4~Kx$VSXX5BVQ=-Ii$MOEB8dCHd(iX(J zS-&;Sqyp<8d*4p`FVJ%wo~9iH5vdPoXo)#l^?r-VT7Rbuw?lDlN#PN5Voj4|t zGsHa1o3U!_*Ipd2BC00`82Q+(Qg6BtK6I-+TfG1qBOOUdOMvYm9r4JaR9}E>KnTTB z(z~PeQq|Xt4}3lN>;!aEq1Ie+(6zQ&o_$qlfe4!t%#+vcp3MS=6Ki(FTo=p&VNwyUyzA^nN;}~{C%)yq0{2O0VHcbIORW6 zpf@%EDDlG7$nm;(r&o1BsRGwE;%MBHLf!ud^=dUyiZ@rcgiW&(+xLOt3_YWDo9w zqM**Ok-q(;PzFZ~Y_!5&{)7kGx zBg>d)C%n$oX-%p^3yiNoxBbQJet1y`;rVg*Bi*K3wdW9@e>LCn9PUdr-(IfSosM=( z`l&nBg_;0?mk*fvK_Xw9Zwwzy!EclsKCwv{bQzsJjg3((vUg79luhUtz{tf;^8*hG zXl~*vF5v*RO|YCmeHi(By&`d>S}`rsF>j{X!|)lnaq^WT~Xi1D!reF#ir8%`ABH3_P@Ubw2>0=pX;uSExQudqXqQ;ntfdrnfytmnBpb z4R*Jn2vIiky2@|fBhU^gi#_#yv+`SX0!v|I*ieOEz?s2U84b$X@UepOx6PDckJiDV z=`Q~yrpc4{NQq&jOqb+f(-N&1wPzs@+sF8` z7AN0m8Md7)_0KcD=bfuTy)Wa7PG-_N=Jk(060P{(@_lO;jKn>Elx=&E_vn8d(f+pr zVjVPhN|3KS2iZ`+DCGKoPe|g-RurfU4&fVqE(j$E113# znsf!S0WV|$6h}d+1vR{*dLXCp(}C-*Vk!+14}>;RSP6n;4Z@7KlD#Twt(`0ceA82? z;aaJZ;KQd{6qUsVrMIm@CSxtG!cRJCd`1}^7*oDs#w+@k;|xA^K)c4~cLHTCWps~P z*FY3O;~GPa@oXu2b@5*27z2>4E%b|*#4z9MyPAw6ABC=cZ&cRgxYVwY_DF+}yjN|Y zKnp;#V$rE-&Dp^NiHft_z4g?&)Oj}ZcgC^F$VGNT}r___(5h0~H?m~4aSxpj{TV>Takkb88+A)pFxZ{+ZC%6aE20lg=w4sVo6&4KMp$l!ju zv^)C?ubXpF}DT1g+ zNx`-}_-BPPyJF;jrN0W0E%!%2|7RBZUjU}?aQ`xi{WVsdxE=6Yz;7~|wgP?&YP$b% z_WR$x7xsHPpm%6+2m3J#_`vM(pMzxUPDN)Fr43JcMW1E*k4y*9DMLeQ^tJa_3CdH^ zrjB&He0U1s81?~1$Ui|(w$=<^muNI9TrO?&&>0*)fxD;*8#ApNN!0j`n16yUG{=*dSUVDs*F?yB{Daz_}rBhUsLF@vYt97PwZ#KJR_&*i*S7x_q_! zkOzcR$JHW&Q5HXDObbgw+i6$P(QPm9$~6@8*6svhP9I3PA@=IP5eB-ZFnADR%(bv#Y*V zc!82vHh~+I+{;=R$y?Pj0t)mL8HFgP+^@@a17>cczM&egSpLb^Pkb9m-Obk5$10OL zOg|W)f4%~4bQ9hy=ngDVXP~qw1xAqDQ`CITlGu5*vC3|{GN))T?5?#WC41$q!Bvz} zQd^k6e4_a&3qdKe>|1MmTDOf`!QltA^-Xx30ioZgT*}Z{SV=mq*7Y%g5WhXR=(u)lRZ zIXz6b3A{^I792LTSf8)&3@M0u{=LizYzkPuBupl|iR-GV@H0N1#tvK*1Si36gcb|B3B)4V|(Fl~W5^S;K_ zNu64)dZ$^lmw*znge7-la8iqSd+N@5u278Vz4E6ty#UL?lxVnljAGW&9FVF$;w*sj z@Q;Or#SIQPuMPx`6f`WBGXbxKp(I!N1p55klKcbf|D-zg@9gtm;=(^*g**9y+7#=Y zPi??{MEPlYuUEoE7BO0vzS#Cl=f|08c9h}b!_9wDe&xlB>}e2H5=K;#MlvjQr5%>P z_fqi#ma?Fa$FZS}s3&vAPY!?;*S0*yZ(OJL7gS|{CbX0BdTOwXkPWWuci!FbX&V5x zsJjbXU%9>-1_UmKk%88IN~y1(AQi9Kr@Na%3W(wd__xBmtf$nWieiKy&U|p|(wi5Q za`FlEiG76a1Yi1dxp&7a1{yyesM})>%kr(nRrdyjfB5z^ZY_#36r}2Zc-DJD2m~Uk zGPg^vNMCk^tX?_}%&r1`K{YC?%{za8^mztaC{0rD5g(Y2x>bhi`%FSCw`jc2_fb5* z$JC&Yzh|oW(&0lbKQ9v^$a{B85F2=1!5DfP`GfXw%Gxy;K^k5o`?=obZ%G5cD|amQ ze~V*^ckes=?ne{t30II&PtMIo)amoc=ag*9Pc+G7@SA$?S??PAthZ9-@y50~?DkN9 znU7~{rW*!XDeJwuzG3PUR&K7=%XYk#Nxs{o^iYGCca1H$Jmy)$@_yY$R99d>Gl4e!c&-Nmp<;jNE$+P6K@b7G#4| zA7s{e5&TQeT`!1!F^>m<4>pJ<>=K&e4YBAI2Ue$ninzwsNJl65Qjp}$tTWhjU^t2s z*_K%{?vhS2Dm)V@6JI72b744!6hM#U(k}dEh%YvR#WwOeUnS76qvwG zqW^qGKg|1x)8;iA$%b^TelE&6zbCz_Y|0TvaKzlJA*S>dvuZ{I6VpGt^!3_LT0llL zghWcQr{T>?TabsBWcjT=C3qV#zY?vCz4LsW9ZNsnj1ZirW2jFzwXd^R(Pbs`EcVf; zOghdwZ0Gc1ORx4nmiap$Q(Q&X!AqGNe&!2r`R^b97pC?1y77N#ng8eGb^7YHE`ihj zIO**0^FiW(YeLeH9XPT&;_v)U-GKjy$g3nb%~#Q*_mAqU8yNFAgAP%txrppgNUdhg zSmpIRCa~s|0h%mXFC=Zj4bhE$jSfyPTb)f4AO3YwXv9vzt$q?`c-x91$US=Os$Jl7 z!jxa|TdAGmZ+xUkGO2h`*y5m{vuuyY{+R>vq+n3*J;_aEdJGtWAPC&L>pQjfwN+P2 z$g%K;+bIEKi%P~#e#oFVz=kljC;kNPhP-u-;Wn}>0}Q;H1sltVc6%~uv~O7)Q}Hd~ zyx7a$Q>p&6l`mDW0eTd@nAsTAtYGYQ)~IbS>3J^TG7#Z8nS4ndzBj!{%IIay)?~&n z((Xz7Y|;mU8hPF}{_OObA!zV7eBFY5DqWg1;*r>mmw^WDte;r-r*m6D>ws|DJLdTh zH=569UV;S17wc5Uom`nm=-m7R2#p@jo>dDqE!VHW!Ng&3DtUgHQOJLJLzHfScJP-s zM{o@EeB(Emtz!%;!zk+FLGvtFj^>Vnr&7w6mz9ApJHL}PJT)6920dsyS_#1JJ8ilz zC#MpVpM+?MB*iaionxxI&b7aXDQ>{(%_+&@j=4~uA!H7LON1{41 zYzy3t-r{4eJA=}D~{j*T_ z+G@13=aw7#WlQ)NhQhq0uKFL+`$yg8bbjXqDU1Jjdj4=KB^~wSm==8pCbtPH9}X*N zw)Gg_>%7zXtR3WwOMkevjZ<`4)n4s(=++qE1)umfQo${Dzsx|oMZL&62$H>@h+o%y z_5Dy1pbPl4b1DP)?PO z>f}c6RO$Q0;#yidJ|F05LT6W(_^6fSXn$M;1R%&>I>? zV6rl5yyA^W3;t#;{+q4|$-+(pwZln0o21u8v!?Nq>SXISuyOgVk=~{A4K2Nz+JJM$|KmX9 zAB5xYuonLlUw6=JY1<;9)$hQPpujX8kmd?%l{Dm655RP?mwB&iQYx#5#C3GoBd=?s z*uvzJ;!d{DqXf&d%k`Fn)WG#do15|CnD2Z0%N9uoCXsj75X?&w_xri&E#A zpoH~U?$$VO0=czAs9FtFNYEy+xRF6v(fExBGMJVS*Hi!pg1dZ@*JPLI;+XkcPv z;>R;Ee~tAZqCd{RMS6OBsyw(FR_=hz9+7EUjNgv2f|rE#=3axuZO35NJ0rTiPKGD$ z0;lJn7%bF|{_eP3&TPAT%b{e6es8?0;4t=51leZYL4na&`{Af6X)luEj=qJ|sC{K= z)RLL)QEw*-qCA4nbR6Cb&4@=Q)b79ps`c@F{j4GG#~6&0q%;?CqNjmsn?AOyvsbE5 zt22J2<8b#d#nZ|5nL5TF?})4H;ptaVepQ}WR2q*7;EnYSGVy#yh0k6yq|ooE|4 zGkLy+VHm%7{af0h+Ph=K9-O$sIsgPXe~~^9-{De%jj%DAAftLz+m5I)#8vKdZil$k z1`S#_4iay;JYPZGIe&)PipKPKHWj%MRN+b_D@@&W%neKImEw+kk(OKoRcTfFZboue zh|kd5>v==?M7Dn^&2sVbQX;y}Dq${^bt$tG=krS4eP~)M+M&?Yl{vqf*x}+|)30S! zR^TLkY+drYL6YVr`8utErca*Ad1bQhlBKH)-GT{QUk`qJv-)2AigX^dgOAlIO7{-) z8S*&u)S2vL`-`3-(|Fb&66ptCPMuNAHZ3ajtr@MlxTf`ja_E**kLuZQelVl*QkdXn zMsqStBp-T4+As08Mr2eqmSljo5;1=;)+CQsq%O^{N z#2(vkx{2)csU6PHGE87`5@{+liympH!%1f)xc?~L92;<9v!70oXz(fRPx5c; zFy;*U4ZUQ%Y-Zd#o4~44Dl0U-&%781E^8x!&qDnT#~fd*Ye$l_%GGgB)YptJzg|Qq zBLfLh`6}(E@v2CLmX(Gj^R~}Mt@h+ebtTeAd&CF(Mo$dNXXwacIyU~k3ih);jm3mR z+O4k?@QeHcRj^fX^>&2Iz&%fQgn6r8_w@ev>jcxE6)mlhRS#o12%0ia8j6<$%#X1% zd&Fq{9s#i|gOsiB5*((gJ73SE3S~{bQtgpnpV}K57Qo8L!wC+ROKVypq#ulIbnDtG zh~iyfLb8Qe+UhbikZI7Mr^2^P?)PNTKKGBeoz}Z#0f~!YfJ=(&La%iL z-}|b)*;xQ1>?!<0Ebj=%On6XKl}IANz%%%!v@=~-nCd^nB%DDG1g)eLuui4CHd0+9O=>J5mO6H2%%tw?D^+ieQ4$ z29{ge9L`FVBYvDro@*1=_Z|4fKAG^N^H~lSoXDxV zBwh=%g#X$H{I?q;|HH?JOuBSFIu((;d31hM?=Vs)?7au|J?9CbgR1BoXSN;{a3+H- z=k^WAs^!^%plQQ%TC^5Q8cqe-TQ*;Qz+tFsJLXgr``ehMSrplQX7?C_@y>Y?1W8`k zaCvY`oVFI}C^GjQ@^d0TMSn|!+dB>RIJ4)B1jaAEARe#(!a@`yc?;C=@oxa$&=RXt zzgwKu+2Bz=08D_)Y<~D%65QjQu?wu|%hC(k(J(o#sSdVYor^#3 z%>Y*TLk=b&Odwg?VT<*YUSVR@u;}2WKoiQ{FCkMGD!Q-V*=828J!RQ+xU z_8lmmNMV$2`R>bO(S5JFl%T_|RJ0~!C0L4KCaP|Fj3o);D|j%vbTcdjGPe8|*GM&0 z2TCi@J45kI^Bb7|1zTq=8L*te&2yI=f#)2}u3knIM?Y0d`67~a)r#4K!#YfXj(g=+ zB)n~2ofl!xv9Efayze!k(NNi}k)q?tybC%Qk0@7JVlL}IDf#YqoV_Y~){4CcQxtwR zWj-sY=y5>}Rm9lmH@>`@34FAVmhI1-j{Qn3ykLG zEj#L!#lr_ryWVaatT{QoD7Fs3D^Cg9FjmHEU+X(d?^VkrZ_|| zMc>Qvt@SrA$?DLWa;?rz$1{Jxa=NQ4%B-_?j_8+W;k3Q&3tr$!2Ms=YffQ(IY#>ZUgt3h(s$k{37mgd&PbPYaM|?JLi>N*mVZ&u4t+ zXKH@HqwL>>qE|cYk9PLPS;9qG=^rfLP1xhKnv2!a-DP}hS&lTH(V~G2$1om2Bbh#e zgZV+e6rEsDlKkEW6xdHz1jv>_J4i2igFbQ6Y*WK-HDMvmuxKBcx5#N4%)T@E3t9Ps z%%ymZN{z)CC8%m2tfbalNwMr|Uas_g79<@v)LYuW$|P;w8=sHu3M|OuCgGClwjaJ3 za|a)}*I?LLd;NFBl@BfvVPoxwGm(hF%G<_dIQcrM4R2q4Z4AOfXW)EjneI+AkJjTT zIBXwsVL`#Y(kDsUM`f?#X&gdk6%q>g`1CL6$ ziL+My@TH23ke=SM54PxCsETd))vY+RU>|H9CmB{Z_`vQ2dRwspO{n zy>K1$`x#t7SP&p$@eZniSLXGd#Sy6DfGB2_?m6Us5>5#=^6Gp|C{nt8`Ky1f&o?$a z>*$u+hpBYUwzhk>>azFf!$N!z^G(tnR|de!OV+huRXPR@H?P}fTHED9C?Yu0iiy{> zU0Lad8`q(6$HRuExLky-cICoW@9|5TDwH&Z>cqj<){?u*q`_mCmf0Vlsh?fG_suIK z6g{TlK}Q!$JM;l)Wp;iU%ZjN;N5&x;S35Ili;HF9p_ntDaRgSk>QC1aru6`9`Z=uq-7I-tMMV?fuWO#o94`TV7LWq|f)Lh}=}wfrS1jBL*f%5}nKkYE!LOe62lJisWNRu|Hx9}P2Bk7YD-pU%#* zcMCe6ZrAn=c~@IdRF)1VOq8LQEBQ;l)jy^KDt7|BmDlf36&rf!>YLr0T*@ubw?j|4 zY}hTRfE21XP6&!7%W0dzgGS=cR^SD=l+2QzO_frZ8XF#%x(wST5nfFGRGKg zAm8}|qlw8&Qu2ZtAV7Gyx$7{SKIrS{ob@vc)p4Y0!Qq75N#sN*=HWdmX=Sk z04?ECG0uYWnw*sIVV_*Q)pA;NOR1MHcGuPZ(}HdUxVvuCp(GlMZnyO{Fa_{jnAuir zU()_-$78!CN@Pi>Av51o6`Nul3;k2-%M`A}#g5~xoHji$6PD+QcY{szqNv*hU1p*} zr_~W7I9jC83%d%E$`vO6V`cmILm&T++xX96ewL`;#G;ZprZ1o{s(yRF_5_8V3dPMd z(PY?68DY&!eXg~sY0gV>irc;c7TU6gS3VHwIVx7&eHmSBX+v6mYX3wbVIg z9YN5=?3kjHW&2jjtEdteSaxIhOiv>eVWbqgUxNADlWTCRMoUk1nCg`T&YS zl5uT)wPVLJZh8i|(_#i%n)Xl};;S`JRwA}nl)mW!`mm1KzymPKF!IfJ?gInfa`wF! zzUY17f=CE`)JZN7gTJJ`k>*G8!D^GBHQfN+C4255=;T3!y&Ge4Qfk zK>9C_tiP4OT$gvK6r9*^iQgmRK3^~eI*9K17Mp9YH{QAZ-TQoZabj3@enobk%zdl; z`@z>1efEwdUdFuuE86)n7p-&)WstkeoQ#a`@m{?h4}+5Rjxiv8;ouJ6vwv%*DQU;s zr@QohzH4_KtMk6}d@5Td<6dvO*3}d6Yyy4{t4U8*g}NMk?rN@&oQZWo#JQkvmoaIM z9d*QgC+$qt3la9TQl80RA^36s;>o6ysfuh1T%|pgv$m??PB}AVwwU=qQkW-H2Lmr1 zLEIbbFzIx=y-Air&WXbqVzq%*rrRkE9@SF7O2o=?S(ED1yV%IoJ-hN*6Q)})hY?+5 zX%&grmEcy=u?8t@y(!~cI(p;%T7p?z{!~+LMw6|R_1{inHGJnL(Jm>jVAw6ie*lO; zgu9fS%)sWd%3fU8E@MHM#fZGTL~J3m?WR$4VYmL9%=y8Ea>j>_$G+9M_>Y@!_^t9C|@5;CUB-gMZj*k-PL&OT9HIwK&vAPGU6TbzAj zjC<8|-_5Ju{v7GMH8101O}q!>i{Ep)e<GdrWJ~we|ke??8-X z#0Xke5nGvzvsl`98asD#9L?L%;3H*eqQh=`ltccN>F2blm5&+ zttszmmRLrvhE00-SpT^H4&&4fFDSSZ*j&VyU~AQvezpzXa!9GkKjp>gRQPYoVXU_> zn{scc`*Kdd^*OgoY*V5o0_8$Azn-a&eUvki%PLACdDv354URv%K+8^TTbLJNkUi2d z5y|onl@bN<6BUE-v7l9d?M4qx?pw)9)CY=}pz6pRP`7SB3%!4gz5^ENC(IO3p>DTb zDt;z;eDYolRa)ejY|NAw+RsaVO1}U-Ux!W4YwiWP*KZN(1XUj9?*)1Tt1f4<^!5%b zd!iVUc%e_MGj5o4480sjKuA6`WV`Gi<8?QEf}Hx{-A((`31hg zdU>h54iz}20@VxsZ7OdCt&{j$J{deL@WmzWrCJd-XN7AuN)LOdtdGPgf*Ux)esv~Vr_S=g)4Ps{cAt!2^XbW4UGml`l4_ZC`zIu0d4D_1 z&KCK51kxJ3s@K8JAPq{5F5+8AIo&~>!Nk7GG5Y(2O%+CYJB2-C!MD#~M;#ur8;ehB zw;#V(TrQ@IW6SePGSG4dIm4=5>{`Q;q8LyLDI?mX z7wn)T4GsAAbeKc&$Wduj#zj7dCQQ%YYGOb;7-9y8Ba%m(BWwskxf}2YPn%7X_>LjP z&Fwivui$Is#ZqpwpU2GzvN<51PW2;RtN@$ruJ9GKj`=Xrc5NWpFmBN*_*>i$onJ21 zZ(%yqipcsg>zLPCNdF;0p4%u{W3wvTArBqm0P#m7<#LPL&7R2yK3mxoyU$h{%=7;N zutkd=JGkBMr(PVpS$fvvFSj;_TRJG|LahjUO6$Id&I@;vMcD;)I~}9_HYW=e7KDwo z3Dr+Wr__|D6{bH@lQ6&`j4y6-I*61Lg*mtkP30pATN|1iJeY&?MfcD%<_EO+Z#NiR z#X;_AGU;oiFN`f}=*y!x6S32i9# zCg$?}mw4c6m8<`aaJ}D#)G?Wz?1fMk@NQXpaq%sn{=*(ONojVz zRxjSs%hryRWfu0V1^P9z$lScd*ao7fk@-u50Mu`ztE3>aBpwKf@nu^wkM@86@!w6U{yW0*Zw&9h;^y+IVI>IWfaiv*f=25a+kkQl zsP2A#-1lT;o!1d!QUC3lWmj7V0ZSK*rrNB=u=O(46tE3X8r)UrMICr z*b{Z_#z2^m`rbsD>{Bzq%6aU$f7TD;A0lWn&{#I>f#qzwl8hajzNRo-%{ox(tDutZLsnwu8kI{= z-YrQW4T;7vgZ97oSI1#On1nu=Wo73<8NOy6xaSAm#7LXFm`M)jL70FhPqZhvW3QYb=~RuAFfYuJk!*tw>!Wk?`ZGyBefPoII2z(XAsA@w_{ zKZB`0+fv6xHJG~}pv^6_IB?oiXOPD}M(RulqD~q|El#k17yRmy^%MFJgJm;6rLSX? zm1hU&l|xf1e#%|?Go^n)#9|BjJrlyuVq;dNaj{qjU1Pnb=rmK|t=P?oXW*cHPIVis z!eo8?A`wYZ`J#zr>gzKu1A<1=wp%wuo`qJka(x%@zr|F_sag}nP9H5zIe!D#pogiO z+o{Q5f{VnP(>gsXRUctFiZ(Th>c|)oF#nC%3oNQ5+y%%LkMo3;uhNZO~ zs334bvn|l7BLDrE!VhFR5XBmIc9*6ueYVZ$R+9Ha)Q)al@b~oWb!fX4WN7H*c>vD- z-c+LBguP1+y4h0(KI%u-pyWHx=q?9k7eZtc>Uz9t7mVDq?)Mw!Qt!hu34Sf4lQ{zm zQ8vtq)v(h3>~&ZCBj`tobQg68t)nXEN2K&^M+F5$SmFwr@YjtKw0LI~Ak84#QHFZA zD?J_6mJ^)}ks>)dA`u1{Qrl#muh9g=qwV+M1s#LMHE;(igdf(9)AF_H#SLDQrId2s z!;<^u_yLgP%cz?DU2Kb2%U$8j^}3QclQr%t21 zsILfjpTiMAcw4RaTYUQJVu_Cj%}&-C%qRGd!Fjzw&Y`*(f2$9a^5E$KadJmTR8Vs3 zOjb`&D$>@W#}}kKK%WTb1HnL(uy5q~G+^gp_|^S~+S__G^4H(% zU){%GF(?9s3c_|UPc8XHC(A>9rG(Ljya>f@wYg0@VIjqRJ2bSjI%CK?B(G+x z!IAsr)gyNWgGwiGBXftbZ=qZ=RCbsl;m@B9U-m%%#+n)G|@j zYDPU);*<+1DlL;@BH)6G3zm+O7&5tlE0(B?67FcY;7j!W^`7&c@0|CX@4x4d=YH<{ zx$paV?%(hFUDvfPvy6yDL+Oh4?Xm)Q*hdOmaQ`jMWx)Zt_?ACC<E-D=*Jb zu7^COl~D%DDreMf{sIPF?^shyN`*{%Pf(1A+A^Oe%J>U67Z@MYT05y4Tcpn@YElQi z8hYJrl<>}hMFU-i(=nP)%9?}m2K=JGS3)!uU0I}ls-IQg& zR;pRE|4mw1<-9Z>IV2^T(Ln^QRJzCE$#g=)JBlOL69)Q&+L`o-L}~mrk`MBLNf0_# zH+nW~ilZ(4clJ@%`@zybd4F5IKNP6DSiADUX3!2_eHOS)pNBj|N>`!EZL@E`l%m_} zQ%U+n4*7#g+iZX9k)qB}7VF%vy3p1y$6Vr85Mu$Fiww;^NdAUbg*F_BY6tXBIMHK> zqsC&ze8sWRyAvZ0eMxhP`#X&st9YZ$?y$5f?cmrB8wM=TyD5>1==!9$fy#oF_#+S1D^0V#PI2w(Ke#%7qt8t8BxTaeO9#;wDaozA?XS|3;JrNEThGOh$&$j5F@!WS)!QP4GWyFbYXZsf zglOg@(H(M2^LQbP39+Dh^T__0_~E4WAeW{wQgbFhCTF=|)eK4J1rHQv*0D~c-`Yyx zb+Lf?T72I^2mzU>R~n|z_0#?1`pKA7@uF3~@TnQ80$P(;1Ht;T9Y)A@Wx1gddYg&i zs_J|Y!FDNgJUdn`XVcj@5Fij(qLSAQ49Cvu&6`I<9_iz-tYy?|QKCiL7vJf(8o|;% z+Q5xLMmka`0*8Nmd!h$A=xfIHY6|{IUQ- zbR#6!feo%_m#~NF$5UEFsIALSGX`jfHp+x9YjG~Vs^r4$>DBmz#g2mylWFXlQ2`wP zZ6Bbv;itUmD^2BFOEfp4eKL4xt=iwNh6xYeuuE8*^&-)C`SmL5C zoXh9>K|3dDL=HjjbtxM?>;#VydYLOBWTK7eFSGh|4097U`SPn#M>Wf}mlhY$uL%2J?WX63|i zcyntyh#K265QkwX@yAFRPWdPpDn_p=IhHp(8eYh@U|=@m8Se{(?l2#(pK8M_o*B-0 zya%Ppx-&Cc={?aFDN!BmmxU!)A{svxQO}a?$>BIiTAqu&D9o}>o!MCzuhzYk*as*E z5v!wog*bSzh9ve?n0MT3dtz7&23d42N+pLH+)p|qI&3;AFpQi>bYuLQ?5;%B_k@?~ z@s;$6u|VWz>aWO;_nDwf+7|N#5)xe+J^?kn2?@SqUeOB%93ETwMsV!PBKRL>i!1sO3j+F41b0?9 zFtPxl)zM-%hRs-#-r7v5&*q*yIJ%feTaigk3tnym2VbhA$G9wfq_^ADyBAiYEcki& zxXOd6DwEGExcbVfM-y2&B&WHgb=qROU(|7%U!LF`q7jx(vK)vlHiXg->;Bc?74F=T z@_-NK9?`4dsBBg1w=?x#63PxR`)Gd(F@kDvwx3gJV{?3uXV$XAtE_8q!|b>_O<=N^ zX|jm^Y`+DGRwd?+iAW=lCCTZX(u|w1HngxwLr7un3=O&7R$hi z?nkn#(^2GIZk_n@c62i=G)IL+Y)+Z2Iwpl1Y}_$r`D2`9kU?|L(jYT-swiptav-3R z7rJFC$cN#tMcx*ZX))7OW>5Jc-)F#MobyfpgA>GE@ShLy7YepCWy7o7-m^LiclD_L zhf#=hp0fSeTNFX(oLUajNqg6+F$HmlnM`hni}I;=pM-qK)`)(x8Kv~`s1NTd=&UGn zY6lV2ReYYHx0Wcc2&AasaJ&8~OFr$I@KAVb+4lW*hMM_9gii3gWi?MZXO5>o`e#|o z;ynm_nsC#HWtVc^b|PHxNggr&mznT?$@(QfK%}zn44FS5OYJ0uiu8XDG#r;FLAu*5 zu1#YdXtP;|+SD_sO||Ffv34n8f4QD7LZ&^$%GIbO({X<=MKTVqfCcYf_}$#>dhDyKJmIm4cN#QRuEJk=#vh;kn66kn5!q<@+* zzhV^mZp!zu0Bl38Z=0ZZNb_$7(4|c$!fe8>O?8=&5S90iCv)r{|K#g5H=DqW!;``B z=37c9D%#P_pB=S=VdZ-k{*psu=bqCnvS=#5cWEB2&Kw_`JEQR^>nO_f2P|u&@VGYvN`o{LLnfTW))>#a;fa= zlc*G?5PG;ZzNq=ER6rH(`cW>515@q&ZQmTA-n~LhJJYx=-+O7gngUhlcToe{`cqg(CX;?!uyFraV>53*|OS6?y9$ zVkmiR)k^mbM82%}j`}J){O|7juX|fbB3%u<(E3HG7*!wT$2YF*1vt>dM{aF{f?iql zH7si0zBucH`S1gS24+BtvxGCXcL0qryvOO*(ofJ<7)Mf1|I`CBiJBVU@pOokyB>}ZDyBPes?lwY0 z`YtVs{Hw$my~`NrlzIDoGd_S}on!jLM*>a7N-D0$zP_>}37eE;m8yKSd5STDe)COg z8`F`?W+!Z@H~fE)O#d%1tnth3#UbvwTm(Bs7S^}V70GNJG~~eg!P0rxVPNl+&4sxQ z)f%Z^gxQA7EaRj+8(MK!$r=+KmG%b>M!Ip_RLv9;+~qmb6ZI#RMn>C{w>P;jG-PE_ zC;3AEeA0FR|JqQJ`03i3Hg8O1DS2cz#2xk}a(Rm8br(@#jW87e+#y+i z>)%?*>Q|!5mZLxF%1SoG)`5TOv0(R@k%>&}q^3(CONB%7AEdKTc30G!s{vEXmHCvV zpL~-ZT8>|{7_3c>c&?~W{H^4-Swkp1S#%xa7TH;P|pCow3of_T6<)Yuzr5^n8<|9&dyxy*!C+uS*~+FEHOY)79CG$T3D>-Hgq zzvY4l(!NC=)~|+*Mv%TG-whs=sm*?WX Date: Mon, 1 Nov 2021 19:26:51 +0100 Subject: [PATCH 238/288] [GH-Actions][pages] Update mkdocs-material to 7.3.6 --- .github/workflows/gh-pages.yml | 2 +- README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 2b1494e88..cf79870b6 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.5 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install mkdocs-material==7.3.6 pygments==2.10.0 mkdocs-redirects==1.0.3 - name: Build site 🔧 run: | diff --git a/README.md b/README.md index 003fa8dbc..9da27310d 100644 --- a/README.md +++ b/README.md @@ -9,6 +9,6 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.5 pygments==2.10.0 mkdocs-redirects==1.0.3 +pip install mkdocs-material==7.3.6 pygments==2.10.0 mkdocs-redirects==1.0.3 mkdocs serve ``` From 6b9fb0d2629833666ba0cd21d97ad59cdcfbc547 Mon Sep 17 00:00:00 2001 From: Peter Date: Tue, 2 Nov 2021 21:35:07 +0100 Subject: [PATCH 239/288] [GH-Actions][pages] Update checkout to v2.4.0 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index cf79870b6..412bf651b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -8,7 +8,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout 📥 - uses: actions/checkout@v2.3.5 + uses: actions/checkout@v2.4.0 with: token: '${{ secrets.GHPAGES_ACTION_CHECKOUT_TOKEN_PAT }}' From 26d5fc06c3265883248a439e0a5135af3b3c4034 Mon Sep 17 00:00:00 2001 From: gummipunkt Date: Fri, 5 Nov 2021 12:57:11 +0100 Subject: [PATCH 240/288] Update b_n_r-coldstandby.md (#314) typo --- docs/b_n_r-coldstandby.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/b_n_r-coldstandby.md b/docs/b_n_r-coldstandby.md index 2baba6e6d..5227ccb34 100644 --- a/docs/b_n_r-coldstandby.md +++ b/docs/b_n_r-coldstandby.md @@ -49,7 +49,7 @@ The destination must have Docker and docker-compose **v1** available. The script will detect errors automatically and exit. -You may want to test the connection by running `ssh mailcow-backup.host.name -p22 -i/path/to/keyfile`. +You may want to test the connection by running `ssh mailcow-backup.host.name -p22 -i /path/to/keyfile`. ## Backup and refresh the cold-standby From 8bd6e4dbe289ae2e48089960f5a4b43432a56f27 Mon Sep 17 00:00:00 2001 From: gummipunkt Date: Fri, 5 Nov 2021 21:40:41 +0100 Subject: [PATCH 241/288] Update firststeps-rspamd_ui.md (#315) Fixed menu path --- docs/firststeps-rspamd_ui.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/firststeps-rspamd_ui.md b/docs/firststeps-rspamd_ui.md index 01ae321f1..c9cefbfcf 100644 --- a/docs/firststeps-rspamd_ui.md +++ b/docs/firststeps-rspamd_ui.md @@ -1,7 +1,7 @@ [Rspamd](https://rspamd.com/) is an easy to use spam filtering tool presently installed with mailcow. 1. Go to the mailcow web admin interface -2. Navigate to the Access tab. (Configuration > Administration > Access) +2. Navigate to the Access tab. (Configuration > Configuration & Details > Access) 3. Modify the Rspamd UI password 4. Go to https://${MAILCOW_HOSTNAME}/rspamd in a browser and log in! From a697e9a4d2b71597607daa8b81790f9185ff07db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 8 Nov 2021 09:52:16 +0100 Subject: [PATCH 242/288] Update third_party-exchange_onprem.md --- docs/third_party-exchange_onprem.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/third_party-exchange_onprem.md b/docs/third_party-exchange_onprem.md index be105b60c..f8d6903ab 100644 --- a/docs/third_party-exchange_onprem.md +++ b/docs/third_party-exchange_onprem.md @@ -16,7 +16,7 @@ This setup becomes very handy if you have enabled the [Office 365 security defau Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record. 1. Add the domain to your mailcow -2. [Add your personalized Exchange Host address as relayhost](/firststeps-relayhost) +2. [Add your personalized Exchange Host address as relayhost](/u_e-postfix-relayhost) 3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin > Configuration & Details > Configuration Dropdown > Forwarding Hosts) 4. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes @@ -39,4 +39,4 @@ The easiest way to validate the hybrid setup is by sending a mail from the inter - Mails sent from the mailcow to a mailbox in the internet cannot be sent. Non Delivery Report with error `550 5.7.64 TenantAttribution; Relay Access Denied` **Possible Solution:** The authentication method failed. Make sure the certificate subject matches an accepted domain in Exchange. Try authenticating by static ip instead. -Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment \ No newline at end of file +Microsoft Guide for the connector setup and additional requirements: https://docs.microsoft.com/exchange/mail-flow-best-practices/use-connectors-to-configure-mail-flow/set-up-connectors-to-route-mail#prerequisites-for-your-on-premises-email-environment From 50d88c031472e5b4c123fc6ca71453202a952d02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Peters?= Date: Mon, 8 Nov 2021 11:30:45 +0100 Subject: [PATCH 243/288] Update third_party-exchange_onprem.md --- docs/third_party-exchange_onprem.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/third_party-exchange_onprem.md b/docs/third_party-exchange_onprem.md index f8d6903ab..d38f62ca4 100644 --- a/docs/third_party-exchange_onprem.md +++ b/docs/third_party-exchange_onprem.md @@ -16,7 +16,7 @@ This setup becomes very handy if you have enabled the [Office 365 security defau Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record. 1. Add the domain to your mailcow -2. [Add your personalized Exchange Host address as relayhost](/u_e-postfix-relayhost) +2. [Add your personalized Exchange Host address as relayhost](/mailcow-dockerized-docs/u_e-postfix-relayhost) 3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin > Configuration & Details > Configuration Dropdown > Forwarding Hosts) 4. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes From 0f23e1714de9f80959853e93017974f16bd5b425 Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Tue, 9 Nov 2021 02:12:56 +0200 Subject: [PATCH 244/288] Update firststeps-dmarc_reporting.md Add more details about Olefia syntax and examples Remove numbering because it was displayed wrongly --- docs/firststeps-dmarc_reporting.md | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/docs/firststeps-dmarc_reporting.md b/docs/firststeps-dmarc_reporting.md index aabfdb229..cc58f9b18 100644 --- a/docs/firststeps-dmarc_reporting.md +++ b/docs/firststeps-dmarc_reporting.md @@ -16,7 +16,7 @@ Rspamd documentation can be found here: https://rspamd.com/doc/modules/dmarc.htm ## Enable DMARC reporting -1. Create the file `data/conf/rspamd/local.d/dmarc.conf` and set the following content: +Create the file `data/conf/rspamd/local.d/dmarc.conf` and set the following content: ``` reporting { @@ -34,7 +34,7 @@ reporting { } ``` -2. Create or modify `docker-compose.override.yml` in the mailcow-dockerized base directory: +Create or modify `docker-compose.override.yml` in the mailcow-dockerized base directory: ``` version: '2.1' @@ -52,7 +52,7 @@ services: - rspamd-mailcow ``` -3. Run `docker-compose up -d` +Run `docker-compose up -d` ## Send a copy reports to yourself @@ -102,9 +102,13 @@ docker-compose exec redis-mailcow redis-cli HGETALL "dmarc;example.com;20211231" ## Change DMARC reporting frequency -In the example above reports are sent once every 24 hours. You may want to change that interval: +In the example above reports are sent once every 24 hours. -1. Edit `docker-compose.override.yml` and a djust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to a desired value. +Olefia schedule has same implementation as `cron` in Go, supported syntax described at [cron Documentation](https://pkg.go.dev/github.com/robfig/cron) + +To change schedule: + +1. Edit `docker-compose.override.yml` and a djust `ofelia.job-exec.rspamd_dmarc_reporting.schedule: "@every 24h"` to a desired value, for example to `"@midnight"` 2. Run `docker-compose up -d` @@ -116,6 +120,6 @@ To disable reporting: 1. Set `enabled` to `false` in `data/conf/rspamd/local.d/dmarc.conf` -2. Revert changes done to `docker-compose.override.yml` +2. Revert changes done in `docker-compose.override.yml` to `rspamd-mailcow` and `ofelia-mailcow` 3. Run `docker-compose up -d` From 09c9d3488897b91af3f7cd66017c42a1b44f6d2b Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 15 Nov 2021 17:50:46 +0100 Subject: [PATCH 245/288] Update third_party-exchange_onprem.md --- docs/third_party-exchange_onprem.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/third_party-exchange_onprem.md b/docs/third_party-exchange_onprem.md index d38f62ca4..571da0544 100644 --- a/docs/third_party-exchange_onprem.md +++ b/docs/third_party-exchange_onprem.md @@ -10,13 +10,13 @@ This setup becomes very handy if you have enabled the [Office 365 security defau 1. Log in to your [Exchange Admin Center](https://admin.exchange.microsoft.com) 2. Select the `mail flow` pane and click on `accepted domains` 3. Select the domain and switch it from `authorative` to `internal relay` - - + + ## Set up the mailcow Your mailcow needs to relay all mails to your personalized Exchange Host. It is the same host address we already looked up for the mx Record. 1. Add the domain to your mailcow -2. [Add your personalized Exchange Host address as relayhost](/mailcow-dockerized-docs/u_e-postfix-relayhost) +2. [Add your personalized Exchange Host address as relayhost](../u_e-postfix-relayhost) 3. Add your personalized Exchange Host address as forwarding host to unconditionally accepted all relayed mails from Exchange. (Admin > Configuration & Details > Configuration Dropdown > Forwarding Hosts) 4. Go to the domain settings and select the newly added host on the `Sender-dependent transports` dropdown. Enable relaying by ticking the `Relay this domain`, `Relay all recipients` and the `Relay non-existing mailboxes only.` checkboxes @@ -29,7 +29,7 @@ All mail traffic now goes through Exchange. At this point the Exchange Online Pr !!! warning For the connector that handles mails from your mailcow to Exchange Microsoft offers two ways of authenticating it. The recommended way is to use a tls certificate configured with a subject name that matches an accepted domain in Exchange. Otherwise you need to choose authentication with the static ip address of your mailcow. - + ## Validating The easiest way to validate the hybrid setup is by sending a mail from the internet to a mailbox that only exists on the mailcow and vice versa. From 5f45275409d9fe292b5215a7ec4f526a33b5bf6e Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 15 Nov 2021 17:54:19 +0100 Subject: [PATCH 246/288] Add redirects for debug-reset(-/_)tls.md --- mkdocs.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mkdocs.yml b/mkdocs.yml index 10b570ebe..754ab081b 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -157,5 +157,7 @@ plugins: - search - redirects: redirect_maps: + # 'old': 'new' 'u_e-mailpiler-integration.md': 'third_party-mailpiler_integration.md' 'b_n_r_accidental_deletion.md': 'b_n_r-accidental_deletion.md' + 'debug-reset-tls.md': 'debug-reset_tls.md' From 9dea9456a22eb46a1b4a174cb07c31e3236b873d Mon Sep 17 00:00:00 2001 From: Dmitriy Alekseev <1865999+dragoangel@users.noreply.github.com> Date: Fri, 19 Nov 2021 16:05:52 +0200 Subject: [PATCH 247/288] Update u_e-unbound-fwd.md Add additional details why public revolvers shouldn't be used --- docs/u_e-unbound-fwd.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/u_e-unbound-fwd.md b/docs/u_e-unbound-fwd.md index e4a64f612..ac62149b5 100644 --- a/docs/u_e-unbound-fwd.md +++ b/docs/u_e-unbound-fwd.md @@ -1,7 +1,7 @@ If you want or have to use an external DNS service, you can either set a forwarder in Unbound or copy an override file to define external DNS servers: !!! warning - Please do not use a public resolver like we did in the example above. Many - if not all - blacklist lookups will fail with public resolvers. + Please do not use a public resolver like we did in the example above. Many - if not all - blacklist lookups will fail with public resolvers, because blacklist server has limits on how much requests can be done from one IP and public resolvers usually reach this limits. **Important**: Only DNSSEC validating DNS services will work. ## Method A, Unbound From 2ecd36ab3488d3124a32addaabef13069c0c6035 Mon Sep 17 00:00:00 2001 From: valentin-ed <73354059+valentin-ed@users.noreply.github.com> Date: Fri, 19 Nov 2021 23:13:10 +0100 Subject: [PATCH 248/288] Update third_party-roundcube.md (#317) Adding ` Date: Fri, 19 Nov 2021 23:14:57 +0100 Subject: [PATCH 249/288] [GH-Actions][pages] Update github-pages-deploy-action to 4.1.6 --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 412bf651b..3a74c2445 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.5 + uses: JamesIves/github-pages-deploy-action@4.1.6 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From d83c4e8dd4329d884ada9706d7d85f7cff1f227a Mon Sep 17 00:00:00 2001 From: FingerlessGloves Date: Sun, 28 Nov 2021 19:24:29 +0000 Subject: [PATCH 250/288] Update Roundcube docs for release 1.5.1 (#321) Update Roundcube docs for release 1.5.1 --- docs/third_party-roundcube.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 4581bd7e2..bb9af6739 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -4,9 +4,9 @@ Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.0/roundcubemail-1.5.0-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.5.0 rc +mv roundcubemail-1.5.1 rc # Change permissions chown -R root: rc/ @@ -179,8 +179,8 @@ docker exec -it mailcowdockerized_php-fpm-mailcow_1 bash apk add rsync cd /tmp -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.0/roundcubemail-1.5.0-complete.tar.gz | tar xfvz - -cd roundcubemail-1.5.0 +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz | tar xfvz - +cd roundcubemail-1.5.1 bin/installto.sh /web/rc # Type 'Y' and press enter to upgrade your install of Roundcube From 9e0afa5141e79f6856286577807eefbcc518618b Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 29 Nov 2021 19:12:10 +0100 Subject: [PATCH 251/288] Prepare for renovate bot --- .github/workflows/gh-pages.yml | 2 +- .github/workflows/renovate_check-build.yml | 23 ++++++++++++++++++++++ README.md | 5 +++-- requirements.txt | 3 +++ 4 files changed, 30 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/renovate_check-build.yml create mode 100644 requirements.txt diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 3a74c2445..ee0ae1475 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -16,7 +16,7 @@ jobs: run: | sudo apt-get -y update sudo apt-get -y install python3-pip - pip install mkdocs-material==7.3.6 pygments==2.10.0 mkdocs-redirects==1.0.3 + pip install -r requirements.txt - name: Build site 🔧 run: | diff --git a/.github/workflows/renovate_check-build.yml b/.github/workflows/renovate_check-build.yml new file mode 100644 index 000000000..9fb6eacdd --- /dev/null +++ b/.github/workflows/renovate_check-build.yml @@ -0,0 +1,23 @@ +name: Check build for renovate +on: + push: + branches: + - 'renovate/**' +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - name: Checkout 📥 + uses: actions/checkout@v2.4.0 + with: + token: '${{ secrets.GHPAGES_ACTION_CHECKOUT_TOKEN_PAT }}' + + - name: Install dependencies 🐄 + run: | + sudo apt-get -y update + sudo apt-get -y install python3-pip + pip install -r requirements.txt + + - name: Build site 🔧 + run: | + mkdocs build --verbose --clean diff --git a/README.md b/README.md index 9da27310d..40db5bad7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![Build and deploy to gh-pages](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml/badge.svg)](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml) +[![Build and deploy to gh-pages](https://img.shields.io/github/workflow/status/mailcow/mailcow-dockerized-docs/Build%20and%20deploy%20to%20gh-pages/master?label=Build%20and%20deploy%20to%20gh-pages)](https://github.com/mailcow/mailcow-dockerized-docs/actions/workflows/gh-pages.yml) # mailcow: dockerized documentation @@ -9,6 +9,7 @@ https://mailcow.github.io/mailcow-dockerized-docs To build it locally, you need the [Material theme for MkDocs](https://squidfunk.github.io/mkdocs-material/), [MkDocs](https://www.mkdocs.org/) itself and [Pygments](http://pygments.org/). To install these with [pip](https://pip.pypa.io/en/stable/) and get it up and running, fire up your terminal and enter ``` -pip install mkdocs-material==7.3.6 pygments==2.10.0 mkdocs-redirects==1.0.3 +git clone https://github.com/mailcow/mailcow-dockerized-docs.git +pip install -r requirements.txt mkdocs serve ``` diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000..877bd1729 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +mkdocs-material==7.3.6 +mkdocs-redirects==1.0.3 +pygments==2.10.0 From 19b43c40514907c61109ec0f25ac889668c2f09a Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 29 Nov 2021 19:12:35 +0100 Subject: [PATCH 252/288] Add config for renovate bot --- .github/renovate.json | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/renovate.json diff --git a/.github/renovate.json b/.github/renovate.json new file mode 100644 index 000000000..fddc40c19 --- /dev/null +++ b/.github/renovate.json @@ -0,0 +1,11 @@ +{ + "enabled": true, + "timezone": "Europe/Berlin", + "dependencyDashboard": false, + "dependencyDashboardTitle": "Renovate Dashboard", + "commitBody": "Signed-off-by: Peter ", + "rebaseWhen": "auto", + "assignees": [ + "@magiccc" + ] +} From ef71032aa98b119dc4ebcaffa83f29a2be899696 Mon Sep 17 00:00:00 2001 From: Peter Date: Mon, 29 Nov 2021 19:16:44 +0100 Subject: [PATCH 253/288] Enable renovate dependencyDashboard --- .github/renovate.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/renovate.json b/.github/renovate.json index fddc40c19..d858c3c26 100644 --- a/.github/renovate.json +++ b/.github/renovate.json @@ -1,7 +1,7 @@ { "enabled": true, "timezone": "Europe/Berlin", - "dependencyDashboard": false, + "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dashboard", "commitBody": "Signed-off-by: Peter ", "rebaseWhen": "auto", From 4a0dab470e61c13ac7c8dd335aa5e8976409e66d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Nov 2021 19:20:03 +0100 Subject: [PATCH 254/288] Update JamesIves/github-pages-deploy-action action to v4.1.7 (#323) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index ee0ae1475..4b8def574 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.6 + uses: JamesIves/github-pages-deploy-action@4.1.7 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From eaf82078ca2c0d1d54c4a5cf751e20ee52f11602 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 29 Nov 2021 19:25:29 +0100 Subject: [PATCH 255/288] Update dependency mkdocs-material to v8 (#324) * Update dependency mkdocs-material to v8 Signed-off-by: Peter * Enable Anchor tracking Co-authored-by: Renovate Bot Co-authored-by: Peter --- mkdocs.yml | 1 + requirements.txt | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 754ab081b..6dc5e92d4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -11,6 +11,7 @@ theme: favicon: images/favicon.png features: - navigation.top + - navigation.tracking markdown_extensions: - codehilite: guess_lang: true diff --git a/requirements.txt b/requirements.txt index 877bd1729..f8e106056 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==7.3.6 +mkdocs-material==8.0.1 mkdocs-redirects==1.0.3 pygments==2.10.0 From a79c2896f77b301e8c8bf2b443ebd1cd96278c03 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 30 Nov 2021 17:38:44 +0100 Subject: [PATCH 256/288] Update dependency mkdocs-material to v8.0.2 (#326) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f8e106056..b35d7d2d1 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.0.1 +mkdocs-material==8.0.2 mkdocs-redirects==1.0.3 pygments==2.10.0 From a77b593941403669567605a1c392a985cc9b93b4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 2 Dec 2021 16:32:45 +0100 Subject: [PATCH 257/288] Update dependency mkdocs-material to v8.0.3 (#327) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b35d7d2d1..9a536c5c6 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.0.2 +mkdocs-material==8.0.3 mkdocs-redirects==1.0.3 pygments==2.10.0 From 3754b427e3f64f375bbdb83e6443ccefaeb845a3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 4 Dec 2021 15:11:33 +0100 Subject: [PATCH 258/288] Update dependency mkdocs-material to v8.0.4 (#328) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 9a536c5c6..815a5fd9d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.0.3 +mkdocs-material==8.0.4 mkdocs-redirects==1.0.3 pygments==2.10.0 From b894075fcde5c9a0be88ce901a0bd47cd0b0a9bb Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 7 Dec 2021 09:41:02 +0100 Subject: [PATCH 259/288] Update dependency mkdocs-material to v8.0.5 (#329) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 815a5fd9d..b50e144b5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.0.4 +mkdocs-material==8.0.5 mkdocs-redirects==1.0.3 pygments==2.10.0 From e5c2dfa70ce83d7f9b38ce084d432a34c01f6563 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 10 Dec 2021 19:05:46 +0100 Subject: [PATCH 260/288] Update dependency mkdocs-material to v8.1.0 (#330) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index b50e144b5..4b59b359f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.0.5 +mkdocs-material==8.1.0 mkdocs-redirects==1.0.3 pygments==2.10.0 From 45986affa30aa0641439bcf4bff9580b3192e2d8 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 13 Dec 2021 18:52:44 +0100 Subject: [PATCH 261/288] Update dependency mkdocs-material to v8.1.1 (#332) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 4b59b359f..040187313 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.0 +mkdocs-material==8.1.1 mkdocs-redirects==1.0.3 pygments==2.10.0 From 951cbbed75e3ab2c02c7af59ac31a39ce3737446 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 15 Dec 2021 11:50:19 +0100 Subject: [PATCH 262/288] Update dependency mkdocs-material to v8.1.2 (#333) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 040187313..eef97e42b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.1 +mkdocs-material==8.1.2 mkdocs-redirects==1.0.3 pygments==2.10.0 From b980b5b89f66b47cad1ad946704f9f84600f7eb2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sat, 18 Dec 2021 17:51:59 +0100 Subject: [PATCH 263/288] Update JamesIves/github-pages-deploy-action action to v4.1.8 (#334) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 4b8def574..a0be3be85 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.7 + uses: JamesIves/github-pages-deploy-action@4.1.8 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From 22261472f158a19dbf8e297fd2a0f86d9488915c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 19 Dec 2021 16:12:38 +0100 Subject: [PATCH 264/288] Update dependency mkdocs-material to v8.1.3 (#335) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index eef97e42b..1977fc130 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.2 +mkdocs-material==8.1.3 mkdocs-redirects==1.0.3 pygments==2.10.0 From fd1800681cae72d469bdb5f738c9b475491201ba Mon Sep 17 00:00:00 2001 From: Robert McQueen Date: Wed, 22 Dec 2021 18:43:08 +0000 Subject: [PATCH 265/288] third_party-borgmatic: Improve volume configuration (#336) Try to more closely match the backup_and_restore.sh script by including postfix, rspamd and redis volumes. Ignore the paths that contain sockets/FIFOs as borgmatic uses these for its mysql backup, which means borg "stuck" trying to read these. Move the generated borg security data and cache to volumes so that they persists without writing in the mailcow/data folder or the overlay. --- docs/third_party-borgmatic.md | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/docs/third_party-borgmatic.md b/docs/third_party-borgmatic.md index 6c98dcae1..7cec6f34e 100644 --- a/docs/third_party-borgmatic.md +++ b/docs/third_party-borgmatic.md @@ -23,17 +23,23 @@ configuration: ```yaml version: '2.1' + services: borgmatic-mailcow: image: b3vis/borgmatic + hostname: mailcow restart: always dns: ${IPV4_NETWORK:-172.22.1}.254 volumes: - vmail-vol-1:/mnt/source/vmail:ro - crypt-vol-1:/mnt/source/crypt:ro + - redis-vol-1:/mnt/source/redis:ro,z + - rspamd-vol-1:/mnt/source/rspamd:ro,z + - postfix-vol-1:/mnt/source/postfix:ro,z - mysql-socket-vol-1:/var/run/mysqld/:z + - borg-config-vol-1:/root/.config/borg:Z + - borg-cache-vol-1:/root/.cache/borg:Z - ./data/conf/borgmatic/etc:/etc/borgmatic.d:Z - - ./data/conf/borgmatic/state:/root/.config/borg:Z - ./data/conf/borgmatic/ssh:/root/.ssh:Z environment: - TZ=${TZ} @@ -42,6 +48,10 @@ services: mailcow-network: aliases: - borgmatic + +volumes: + borg-cache-vol-1: + borg-config-vol-1: ``` Ensure that you change the `BORG_PASSPHRASE` to a secure passphrase of your choosing. @@ -61,7 +71,10 @@ location: - /mnt/source repositories: - user@rsync.net:mailcow - remote_path: borg1 + exclude_patterns: + - '/mnt/source/postfix/public/' + - '/mnt/source/postfix/private/' + - '/mnt/source/rspamd/rspamd.sock' retention: keep_hourly: 24 From aef5e6e8a4f0cef8739d60179cd30d855be8ff0e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 30 Dec 2021 15:23:56 +0100 Subject: [PATCH 266/288] Update dependency pygments to v2.11.0 (#337) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 1977fc130..39a55d803 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ mkdocs-material==8.1.3 mkdocs-redirects==1.0.3 -pygments==2.10.0 +pygments==2.11.0 From 3733eaccf2d9d44549574d9a8698d4167937e26b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 31 Dec 2021 18:18:13 +0100 Subject: [PATCH 267/288] Update dependency pygments to v2.11.1 (#338) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 39a55d803..8803e6011 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ mkdocs-material==8.1.3 mkdocs-redirects==1.0.3 -pygments==2.11.0 +pygments==2.11.1 From ac7a264f3176fe76ba77ac1b00d6c0b816441352 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 2 Jan 2022 14:40:14 +0100 Subject: [PATCH 268/288] Update dependency mkdocs-material to v8.1.4 (#339) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 8803e6011..f98ba0641 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.3 +mkdocs-material==8.1.4 mkdocs-redirects==1.0.3 pygments==2.11.1 From 31878afb59bc0929c067866ec7fb63d46d38d7f2 Mon Sep 17 00:00:00 2001 From: Szymon Andrzejewski Date: Tue, 4 Jan 2022 20:46:33 +0100 Subject: [PATCH 269/288] Update roundcube to 1.5.2 version (#340) --- docs/third_party-roundcube.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index bb9af6739..33f7d2a6d 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -4,9 +4,9 @@ Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`) ``` # Check for a newer release! cd data/web -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz | tar xfvz - +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.2/roundcubemail-1.5.2-complete.tar.gz | tar xfvz - # Change folder name -mv roundcubemail-1.5.1 rc +mv roundcubemail-1.5.2 rc # Change permissions chown -R root: rc/ @@ -179,8 +179,8 @@ docker exec -it mailcowdockerized_php-fpm-mailcow_1 bash apk add rsync cd /tmp -wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.1/roundcubemail-1.5.1-complete.tar.gz | tar xfvz - -cd roundcubemail-1.5.1 +wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.2/roundcubemail-1.5.2-complete.tar.gz | tar xfvz - +cd roundcubemail-1.5.2 bin/installto.sh /web/rc # Type 'Y' and press enter to upgrade your install of Roundcube From 2cbdd16d789ab35039206b758c581f93b376b301 Mon Sep 17 00:00:00 2001 From: MaxXor Date: Wed, 5 Jan 2022 10:51:50 +0100 Subject: [PATCH 270/288] Add doc for automated cold-standby backups --- docs/b_n_r-coldstandby.md | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/docs/b_n_r-coldstandby.md b/docs/b_n_r-coldstandby.md index 5227ccb34..67a52a96a 100644 --- a/docs/b_n_r-coldstandby.md +++ b/docs/b_n_r-coldstandby.md @@ -69,3 +69,30 @@ bash /opt/mailcow-dockerized/create_cold_standby.sh It's the same command. +## Automated backups with cron + +First make sure that the `cron` service is enabled and running: + +``` +systemctl enable cron.service && systemctl start cron.service +``` + +To automate the backups to the cold-standby server you can use a cron job. To edit the cron jobs for the root user run: + +``` +crontab -e +``` + +Add the following lines to synchronize the cold standby server daily at 03:00. In this example errors of the last execution are logged into a file. + +``` +PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin + +0 3 * * * bash /opt/mailcow-dockerized/create_cold_standby.sh 2> /var/log/mailcow-coldstandby-sync.log +``` + +If saved correctly, the cron job should be shown by typing: + +``` +crontab -l +``` From 30527e7e95bfde5bf7413eda06e1b0762aeeb2f8 Mon Sep 17 00:00:00 2001 From: Szymon Andrzejewski Date: Wed, 5 Jan 2022 18:53:58 +0100 Subject: [PATCH 271/288] Revert "Update third_party-roundcube.md (#317)" (#341) This reverts commit 2ecd36ab3488d3124a32addaabef13069c0c6035. --- docs/third_party-roundcube.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 33f7d2a6d..460f9d5f4 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -67,8 +67,6 @@ Initialize the database and leave the installer. Open `data/web/rc/plugins/managesieve/config.inc.php` and change the following parameters (or add them at the bottom of that file): ``` -//Make sure you have Date: Wed, 5 Jan 2022 19:34:55 +0100 Subject: [PATCH 272/288] Update JamesIves/github-pages-deploy-action action to v4.1.9 (#344) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index a0be3be85..517f7b55d 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.8 + uses: JamesIves/github-pages-deploy-action@4.1.9 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From e6bb0e628f4c16a56d5488f1420f51665a1f9aea Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jan 2022 19:52:41 +0100 Subject: [PATCH 273/288] Update JamesIves/github-pages-deploy-action action to v4.2.0 (#346) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 517f7b55d..d70ca8dff 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.1.9 + uses: JamesIves/github-pages-deploy-action@4.2.0 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From 4db82fbba868ee2ec1c74042ae0c723d6a84a5d6 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 6 Jan 2022 19:53:02 +0100 Subject: [PATCH 274/288] Update dependency pygments to v2.11.2 (#345) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f98ba0641..bb03ab96a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ mkdocs-material==8.1.4 mkdocs-redirects==1.0.3 -pygments==2.11.1 +pygments==2.11.2 From f73d72b5bca57c2c9cb29d9288138a5d6fd5ca73 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 9 Jan 2022 16:23:01 +0100 Subject: [PATCH 275/288] Update dependency mkdocs-material to v8.1.5 (#347) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index bb03ab96a..89fdc8052 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.4 +mkdocs-material==8.1.5 mkdocs-redirects==1.0.3 pygments==2.11.2 From a756860af1638bbdf7e3acbb6aab36ca2bcc2caa Mon Sep 17 00:00:00 2001 From: FingerlessGloves Date: Sun, 9 Jan 2022 15:23:48 +0000 Subject: [PATCH 276/288] Roundcube remote resources fix and tidy (#343) Due to how mailcow is configured security wise, some people may get this issue https://github.com/roundcube/roundcubemail/issues/8170 depending on their browser. When you go to press `Allow` to show remote content within an email, it'll redirect you to the root of the website, in this case mailcow login. This fix should be included in the Roundcube 1.6 release, until we hit this release we just need to apply the fix manually for each install/upgrade. --- docs/third_party-roundcube.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/docs/third_party-roundcube.md b/docs/third_party-roundcube.md index 460f9d5f4..a13c88b6b 100644 --- a/docs/third_party-roundcube.md +++ b/docs/third_party-roundcube.md @@ -5,11 +5,15 @@ Download Roundcube 1.5.x to the web htdocs directory and extract it (here `rc/`) # Check for a newer release! cd data/web wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.2/roundcubemail-1.5.2-complete.tar.gz | tar xfvz - + # Change folder name mv roundcubemail-1.5.2 rc # Change permissions chown -R root: rc/ + +# Fix Allow remote resources (https://github.com/roundcube/roundcubemail/issues/8170) should not be required in 1.6 +sed -i "s/\$prefix = '\.\/';/\$prefix = preg_replace\('\/\[\?\&]\.\*\$\/', '', \$_SERVER\['REQUEST_URI'] \?\? ''\) \?: '\.\/';/g" rc/program/include/rcmail.php ``` If you need spell check features, create a file `data/hooks/phpfpm/aspell.sh` with the following content, then `chmod +x data/hooks/phpfpm/aspell.sh`. This installs a local spell check engine. Note, most modern web browsers have built in spell check, so you may not want/need this. @@ -174,7 +178,6 @@ Upgrading Roundcube is rather simple, go to the [Github releases](https://github docker exec -it mailcowdockerized_php-fpm-mailcow_1 bash # Install required upgrade dependency, then upgrade Roundcube to wanted release - apk add rsync cd /tmp wget -O - https://github.com/roundcube/roundcubemail/releases/download/1.5.2/roundcubemail-1.5.2-complete.tar.gz | tar xfvz - @@ -183,9 +186,10 @@ bin/installto.sh /web/rc # Type 'Y' and press enter to upgrade your install of Roundcube - # Remove leftover files - cd /tmp rm -rf roundcube* + +# Fix Allow remote resources (https://github.com/roundcube/roundcubemail/issues/8170) should not be required in 1.6 +sed -i "s/\$prefix = '\.\/';/\$prefix = preg_replace\('\/\[\?\&]\.\*\$\/', '', \$_SERVER\['REQUEST_URI'] \?\? ''\) \?: '\.\/';/g" /web/rc/program/include/rcmail.php ``` From 934eaee54a1fc5a8e957f7fb0b0876ddbfb96cf3 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 9 Jan 2022 20:28:45 +0100 Subject: [PATCH 277/288] Update JamesIves/github-pages-deploy-action action to v4.2.1 (#348) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index d70ca8dff..91cb3cff4 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.2.0 + uses: JamesIves/github-pages-deploy-action@4.2.1 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From eec98c44088594370d0806006c6607b85904598d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 10 Jan 2022 17:20:47 +0100 Subject: [PATCH 278/288] Update JamesIves/github-pages-deploy-action action to v4.2.2 (#349) Signed-off-by: Peter Co-authored-by: Renovate Bot --- .github/workflows/gh-pages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml index 91cb3cff4..d1c2d803b 100644 --- a/.github/workflows/gh-pages.yml +++ b/.github/workflows/gh-pages.yml @@ -23,7 +23,7 @@ jobs: mkdocs build --verbose --clean - name: Deploy 🚀 - uses: JamesIves/github-pages-deploy-action@4.2.1 + uses: JamesIves/github-pages-deploy-action@v4.2.2 with: token: '${{ secrets.GHPAGES_ACTION_DEPLOY_TOKEN_PAT }}' git-config-name: '${{ secrets.GHPAGES_ACTION_DEPLOY_GITNAME_PAT }}' From e494194ded9c9a6371aad2078b2caf9de1798bb7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 11 Jan 2022 17:47:11 +0100 Subject: [PATCH 279/288] Update dependency mkdocs-material to v8.1.6 (#350) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 89fdc8052..f692576da 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.5 +mkdocs-material==8.1.6 mkdocs-redirects==1.0.3 pygments==2.11.2 From 280a86c6e2ceb7ebf9133c1af5ef352b66d63e36 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 18 Jan 2022 15:09:24 +0100 Subject: [PATCH 280/288] Update dependency mkdocs-material to v8.1.7 (#351) Signed-off-by: Peter Co-authored-by: Renovate Bot --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index f692576da..d96692825 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,3 @@ -mkdocs-material==8.1.6 +mkdocs-material==8.1.7 mkdocs-redirects==1.0.3 pygments==2.11.2 From d8a82d2d110e6e15fa1df24c3dbea7ebee34b731 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Wed, 19 Jan 2022 21:56:36 +0100 Subject: [PATCH 281/288] [WebAuthn] Changed TFA docs for WebAuthn --- docs/u_e-mailcow_ui-tfa.md | 48 ++++++++++++++++++++++++++------------ 1 file changed, 33 insertions(+), 15 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 291f09b38..fdef81fd4 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -1,9 +1,9 @@ -So far three methods for _Two-Factor Authentication_ are implemented: U2F, Yubi OTP, and TOTP +So far three methods for _Two-Factor Authentication_ are implemented: WebAuthn (replacing U2F since February 2022), Yubi OTP, and TOTP -- For U2F to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. -- Both U2F and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). -- While Yubi OTP needs an active internet connection and an API ID + key, U2F will work with any FIDO U2F USB key out of the box, but can only be used when mailcow is accessed over HTTPS. -- U2F and Yubi OTP support multiple keys per user. +- For WebAuthn to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. +- Both WebAuthn and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). +- While Yubi OTP needs an active internet connection and an API ID + key, WebAuthn will work with any FIDO U2F/WebAuthn USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- WebAuthn and Yubi OTP support multiple keys per user. - As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. As administrator you are able to temporary disable a domain administrators TFA login until they successfully logged in. @@ -37,26 +37,44 @@ Finally, enter your current account password and, after selecting the `Touch Yub Congratulations! You can now log in to the mailcow UI using your YubiKey! -## U2F +## WebAuthn (U2F, replacement) +> :warning: **Since February 2022 Google Chrome has discarded support for U2F and recommended the use of WebAuthn.
    ** +> *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.* -To use U2F, the browser must support this standard. +To use WebAuthn, the browser must support this standard. The following desktop browsers support this authentication type: -- Edge (>=79) -- Firefox (>=47, enabled by default since version 67) -- Chrome (>=41) +- Edge (>=18) +- Firefox (>=60) +- Chrome (>=67) - Safari (>=13) -- Opera (40, >=42, not 41) +- Opera (>=54) The following mobile browsers support this authentication type: -- Safari on iOS (>=13.3) -- Firefox on Android (>=68) +- Safari on iOS (>=14.5) +- Android Browser (>=97) +- Opera Mobile (>=64) +- Chrome for Android (>=97) -Sources: [caniuse.com](https://caniuse.com/u2f), [blog.mozilla.org](https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/) +Sources: [caniuse.com](https://caniuse.com/webauthn), [blog.mozilla.org](https://blog.mozilla.org/security/2019/04/04/shipping-fido-u2f-api-support-in-firefox/) -U2F works without an internet connection. +WebAuthn works without an internet connection. + +### What will happen to my registered U2F Key after the Update? +> With this new U2F replacement (WebAuthn) you have to re-register your U2F Key, thankfully WebAuthn is backwards compatible with the most recent U2F Keys. + +Ideally, the next time you log in (with the key), you should get a text box saying that your U2F key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator. + +But don't worry! You can simply re-register your existing key and use it as usual, you probably won't even notice a difference, except that your browser won't show the U2F deactivation message anymore. + +### Disable unofficial supported U2F keys +With WebAuthn there is the possibility to use only official U2F keys (from the big brands, like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.). + +This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used at their site. + +To enable this feature, change the value `WEBAUTHN_ONLY_CERTIFIED_KEYS` in mailcow.conf from `n` to `y` and restart the affected containers with `docker-compose up -d`. ### TOTP From c9f4bfe4c3c31fb9bcab66b31af522e689bae627 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 11:39:38 +0100 Subject: [PATCH 282/288] [Web UI 2FA] Improved WebAuthn Text + TOTP instruction --- docs/u_e-mailcow_ui-tfa.md | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index fdef81fd4..b89e24d2b 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -38,7 +38,7 @@ Finally, enter your current account password and, after selecting the `Touch Yub Congratulations! You can now log in to the mailcow UI using your YubiKey! ## WebAuthn (U2F, replacement) -> :warning: **Since February 2022 Google Chrome has discarded support for U2F and recommended the use of WebAuthn.
    ** +> :warning: **Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.
    ** > *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.* To use WebAuthn, the browser must support this standard. @@ -70,12 +70,30 @@ Ideally, the next time you log in (with the key), you should get a text box sayi But don't worry! You can simply re-register your existing key and use it as usual, you probably won't even notice a difference, except that your browser won't show the U2F deactivation message anymore. ### Disable unofficial supported U2F keys -With WebAuthn there is the possibility to use only official U2F keys (from the big brands, like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.). +With WebAuthn there is the possibility to use only official U2F keys (from the big brands like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.). -This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used at their site. +This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used in their environment. -To enable this feature, change the value `WEBAUTHN_ONLY_CERTIFIED_KEYS` in mailcow.conf from `n` to `y` and restart the affected containers with `docker-compose up -d`. +To enable this feature, change the value `WEBAUTHN_ONLY_TRUSTED_VENDORS` in mailcow.conf from `n` to `y` and restart the affected containers with `docker-compose up -d`. -### TOTP +The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`. + +##### Example: +If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`. +After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices. + +That´s for every vendor the same, so choose what you like (if you want to) + +## TOTP The best known TFA method mostly used with a smartphone. + +To setup the TOTP method login to the Admin UI and select `Time-based OTP (TOTP)` from the list. + +Now a modal will open in which you have to type in a name for your 2FA "device" (example: John Deer´s Smartphone) and the password of the affected Admin account (you are currently logged in with). + +You have two seperate methods to register TOTP to your account: +1. Scan the QR-Code with your Authenticator App on a Smartphone or Tablet. +2. Use the TOTP Code (under the QR Code) in your TOTP Program or App (if you can´t scan a QR Code). + +After you have registered the QR or TOTP code in the TOTP app/program of your choice you only need to enter the now generated TOTP token (in the app/program) as confirmation in the mailcow UI to finally activate the TOTP 2FA, otherwise it will not be activated even though the TOTP token is already generated in your app/program. From 204872051aa9610631fce27dad18b629e8b35ee6 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:42:41 +0100 Subject: [PATCH 283/288] [WebAuthn] Fixed some typos + added Own Certficates Doc --- docs/u_e-mailcow_ui-tfa.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index b89e24d2b..b6f5f9b23 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -63,7 +63,7 @@ Sources: [caniuse.com](https://caniuse.com/webauthn), [blog.mozilla.org](https:/ WebAuthn works without an internet connection. ### What will happen to my registered U2F Key after the Update? -> With this new U2F replacement (WebAuthn) you have to re-register your U2F Key, thankfully WebAuthn is backwards compatible with the most recent U2F Keys. +> :warning: With this new U2F replacement (WebAuthn) you have to re-register your U2F Key, thankfully WebAuthn is backwards compatible and supports the U2F protocol. Ideally, the next time you log in (with the key), you should get a text box saying that your U2F key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator. @@ -82,7 +82,14 @@ The mailcow will now use the Vendor Certificates located in your mailcow directo If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`. After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices. -That´s for every vendor the same, so choose what you like (if you want to) +That´s for every vendor the same, so choose what you like (if you want to). + +#### Use own certificates for WebAuthn +If you have a valid certificate from the vendor of your key you can also add it to your mailcow! + +Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates` folder and restart your mailcow. + +Now you should be able to register with this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. ## TOTP From 156b9a6b7f13ee056474f2590c3c385d6893394e Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:47:25 +0100 Subject: [PATCH 284/288] [WebAuthn] Reference to WebAuthn 2FA page --- docs/u_e-fido2.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/u_e-fido2.md b/docs/u_e-fido2.md index 49dc78fb8..10e213a53 100644 --- a/docs/u_e-fido2.md +++ b/docs/u_e-fido2.md @@ -13,3 +13,6 @@ When calling the login process, the authenticator is not given any credential ID ## Who can use WebAuthn to login to mailcow? As of today, only administrators and domain administrators are able to setup WebAuthn/FIDO2. + +--- +**You want to use WebAuthn/Fido as 2FA? Check it out here: [Two-Factor Authentication](https://mailcow.github.io/mailcow-dockerized-docs/u_e-mailcow_ui-tfa/)** From c353558af5439ff5e0fb2bb60839478a71fc301f Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:51:24 +0100 Subject: [PATCH 285/288] [WebAuthn] Corrects U2F security key to Fido security key --- docs/u_e-mailcow_ui-tfa.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index b6f5f9b23..692fb36aa 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -2,7 +2,7 @@ So far three methods for _Two-Factor Authentication_ are implemented: WebAuthn ( - For WebAuthn to work, you need an encrypted connection to the server (HTTPS) as well as a FIDO security key. - Both WebAuthn and Yubi OTP work well with the fantastic [Yubikey](https://www.yubico.com). -- While Yubi OTP needs an active internet connection and an API ID + key, WebAuthn will work with any FIDO U2F/WebAuthn USB key out of the box, but can only be used when mailcow is accessed over HTTPS. +- While Yubi OTP needs an active internet connection and an API ID + key, WebAuthn will work with any Fido Security Key out of the box, but can only be used when mailcow is accessed over HTTPS. - WebAuthn and Yubi OTP support multiple keys per user. - As the third TFA method mailcow uses TOTP: time-based one-time passwords. Those passwords can be generated with apps like "Google Authenticator" after initially scanning a QR code or entering the given secret manually. @@ -62,15 +62,15 @@ Sources: [caniuse.com](https://caniuse.com/webauthn), [blog.mozilla.org](https:/ WebAuthn works without an internet connection. -### What will happen to my registered U2F Key after the Update? -> :warning: With this new U2F replacement (WebAuthn) you have to re-register your U2F Key, thankfully WebAuthn is backwards compatible and supports the U2F protocol. +### What will happen to my registered Fido Security Key after the Update from U2F to WebAuthn? +> :warning: With this new U2F replacement (WebAuthn) you have to re-register your Fido Security Key, thankfully WebAuthn is backwards compatible and supports the U2F protocol. -Ideally, the next time you log in (with the key), you should get a text box saying that your U2F key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator. +Ideally, the next time you log in (with the key), you should get a text box saying that your Fido Security Key has been removed due to the update to WebAuthn and deleted as a 2-factor authenticator. But don't worry! You can simply re-register your existing key and use it as usual, you probably won't even notice a difference, except that your browser won't show the U2F deactivation message anymore. -### Disable unofficial supported U2F keys -With WebAuthn there is the possibility to use only official U2F keys (from the big brands like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.). +### Disable unofficial supported Fido Security Keys +With WebAuthn there is the possibility to use only official Fido Security Keys (from the big brands like: Yubico, Apple, Nitro, Google, Huawei, Microsoft, etc.). This is primarily for security purposes, as it allows administrators to ensure that only official hardware can be used in their environment. @@ -89,7 +89,7 @@ If you have a valid certificate from the vendor of your key you can also add it Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates` folder and restart your mailcow. -Now you should be able to register with this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. +Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. ## TOTP From 095fe20e34496feea6792fd070e9b28283b0f7eb Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:57:35 +0100 Subject: [PATCH 286/288] [WebAuthn] Added article to clarify about Vendor CA --- docs/u_e-mailcow_ui-tfa.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index 692fb36aa..be73f5730 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -37,6 +37,8 @@ Finally, enter your current account password and, after selecting the `Touch Yub Congratulations! You can now log in to the mailcow UI using your YubiKey! +--- + ## WebAuthn (U2F, replacement) > :warning: **Since February 2022 Google Chrome has discarded support for U2F and standardized the use of WebAuthn.
    ** > *The WebAuthn (U2F removal) is part of mailcow since 21th January 2022, so if you want to use the Key past February 2022 please consider a update with the `update.sh` script.* @@ -78,6 +80,17 @@ To enable this feature, change the value `WEBAUTHN_ONLY_TRUSTED_VENDORS` in mail The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`. +### Is it dangerous to keep the Vendor Check disabled? +No, it isn´t! +These vendor certificates are only used to verify original hardware, not to secure the registration process. + +As you can read in these articles, the deactivation is not software security related: +- [https://developers.yubico.com/U2F/Attestation_and_Metadata/](https://developers.yubico.com/U2F/Attestation_and_Metadata/) +- [https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651) +- [https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01](https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01) + +In the end, however, it is of course your decision to leave this check disabled or enabled. + ##### Example: If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`. After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices. @@ -91,6 +104,8 @@ Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates` Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. +--- + ## TOTP The best known TFA method mostly used with a smartphone. From 091b4819e54f295870904cce53061999346ef31b Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Thu, 20 Jan 2022 15:59:28 +0100 Subject: [PATCH 287/288] [WebAuthn] Changed order --- docs/u_e-mailcow_ui-tfa.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/u_e-mailcow_ui-tfa.md b/docs/u_e-mailcow_ui-tfa.md index be73f5730..4aae3f3d0 100644 --- a/docs/u_e-mailcow_ui-tfa.md +++ b/docs/u_e-mailcow_ui-tfa.md @@ -80,17 +80,6 @@ To enable this feature, change the value `WEBAUTHN_ONLY_TRUSTED_VENDORS` in mail The mailcow will now use the Vendor Certificates located in your mailcow directory under `data/web/inc/lib/WebAuthn/rootCertificates`. -### Is it dangerous to keep the Vendor Check disabled? -No, it isn´t! -These vendor certificates are only used to verify original hardware, not to secure the registration process. - -As you can read in these articles, the deactivation is not software security related: -- [https://developers.yubico.com/U2F/Attestation_and_Metadata/](https://developers.yubico.com/U2F/Attestation_and_Metadata/) -- [https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651) -- [https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01](https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01) - -In the end, however, it is of course your decision to leave this check disabled or enabled. - ##### Example: If you want to limit the official Vendor devices to Apple only you only need the Apple Vendor Certificate inside the `data/web/inc/lib/WebAuthn/rootCertificates`. After you deleted all other certs you now only can activate WebAuthn 2FA with Apple devices. @@ -104,6 +93,17 @@ Just copy the certificate into the `data/web/inc/lib/WebAuthn/rootCertificates` Now you should be able to register this device as well, even though the verification for the vendor certificates is enabled, since you just added the certificate manually. +#### Is it dangerous to keep the Vendor Check disabled? +No, it isn´t! +These vendor certificates are only used to verify original hardware, not to secure the registration process. + +As you can read in these articles, the deactivation is not software security related: +- [https://developers.yubico.com/U2F/Attestation_and_Metadata/](https://developers.yubico.com/U2F/Attestation_and_Metadata/) +- [https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651](https://medium.com/webauthnworks/webauthn-fido2-demystifying-attestation-and-mds-efc3b3cb3651) +- [https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01](https://medium.com/webauthnworks/sorting-fido-ctap-webauthn-terminology-7d32067c0b01) + +In the end, however, it is of course your decision to leave this check disabled or enabled. + --- ## TOTP From f21296a9997ca080f43f05d976f208597458e3a2 Mon Sep 17 00:00:00 2001 From: Niklas Meyer <62480600+DerLinkman@users.noreply.github.com> Date: Fri, 21 Jan 2022 20:27:51 +0100 Subject: [PATCH 288/288] [Mkdocs] Update Copyright + added Twitter Link --- mkdocs.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/mkdocs.yml b/mkdocs.yml index 6dc5e92d4..7b0e65151 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,6 +1,6 @@ site_name: "mailcow: dockerized documentation" site_url: https://mailcow.github.io/mailcow-dockerized-docs/ -copyright: "Copyright © 2021 André Peters" +copyright: "Copyright © 2022 André Peters & Community" repo_name: mailcow/mailcow-dockerized repo_url: https://github.com/mailcow/mailcow-dockerized edit_uri: ../mailcow-dockerized-docs/edit/master/docs/ @@ -152,6 +152,8 @@ extra: link: https://mailcow.email - icon: fontawesome/brands/github-alt link: https://github.com/mailcow + - icon: fontawesome/brands/twitter + link: https://twitter.com/mailcow_email extra_css: [ extra.css ] extra_javascript: [ clients.js ] plugins: